emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
Emily
2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ATAPAuditor/AuditGroups/CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings.ps1
+1852
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Debian Linux 11-CIS-1.0.0.ps1
+5295
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Debian Linux 12-CIS-1.0.1.ps1
+4115
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Enhanced security settings-FBPro-1.0#UserRights.ps1
+184
View File
@@ -0,0 +1,184 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "1.0"
Task = "Ensure 'Debug programs' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "2.1"
Task = "Ensure 'Enable DCOM Hardening' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RequireIntegrityActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RequireIntegrityActivationAuthenticationLevel"
if ($regValue -ne 0x00000001) {
return @{
Message = "Registry value is '$regValue'. Expected: 0x00000001"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.2"
Task = "Ensure 'Raise Authentication Level' is set to 'Raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RaiseActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RaiseActivationAuthenticationLevel"
if ($regValue -ne 0x00000002) {
return @{
Message = "Registry value is '$regValue'. Expected: 0x00000002"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1
+2402
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1
+1296
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1
+4854
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Edge-Microsoft-117#RegistrySettings.ps1
+684
View File
@@ -0,0 +1,684 @@
[AuditTest] @{
Id = "1.1.1"
Task = "Ensure 'Enable site isolation for every site' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SitePerProcess" `
| Select-Object -ExpandProperty "SitePerProcess"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "Ensure 'Supported authentication schemes' is set to 'ntlm, negotiate'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "AuthSchemes" `
| Select-Object -ExpandProperty "AuthSchemes"
if ($regValue -notmatch "^(ntlm\s*,\s*negotiate|negotiate\s*,\s*ntlm)$") {
return @{
Message = "Registry value is '$regValue'. Expected: ntlm, negotiate"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "Ensure 'Allow user-level native messaging hosts (installed without admin permissions)' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "NativeMessagingUserLevelHosts" `
| Select-Object -ExpandProperty "NativeMessagingUserLevelHosts"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SmartScreenEnabled" `
| Select-Object -ExpandProperty "SmartScreenEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "PreventSmartScreenPromptOverride" `
| Select-Object -ExpandProperty "PreventSmartScreenPromptOverride"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "PreventSmartScreenPromptOverrideForFiles" `
| Select-Object -ExpandProperty "PreventSmartScreenPromptOverrideForFiles"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "Ensure 'Allow users to proceed from the HTTPS warning page' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SSLErrorOverrideAllowed" `
| Select-Object -ExpandProperty "SSLErrorOverrideAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.8"
Task = "Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SmartScreenPuaEnabled" `
| Select-Object -ExpandProperty "SmartScreenPuaEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.9"
Task = "Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "BasicAuthOverHttpEnabled" `
| Select-Object -ExpandProperty "BasicAuthOverHttpEnabled"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.10"
Task = "Ensure 'Allow unconfigured sites to be reloaded in Internet Explorer mode' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InternetExplorerIntegrationReloadInIEModeAllowed" `
| Select-Object -ExpandProperty "InternetExplorerIntegrationReloadInIEModeAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.11"
Task = "Ensure 'Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SharedArrayBufferUnrestrictedAccessAllowed" `
| Select-Object -ExpandProperty "SharedArrayBufferUnrestrictedAccessAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.12"
Task = "Ensure 'Specifies whether to allow websites to make requests to more-private network endpoints' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InsecurePrivateNetworkRequestsAllowed" `
| Select-Object -ExpandProperty "InsecurePrivateNetworkRequestsAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.13"
Task = "Ensure 'Enable browser legacy extension point blocking' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "BrowserLegacyExtensionPointsBlockingEnabled" `
| Select-Object -ExpandProperty "BrowserLegacyExtensionPointsBlockingEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.14"
Task = "Ensure 'Show the Reload in Internet Explorer mode button in the toolbar' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InternetExplorerModeToolbarButtonEnabled" `
| Select-Object -ExpandProperty "InternetExplorerModeToolbarButtonEnabled"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.15"
Task = "Ensure 'Configure Edge TyposquattingChecker' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "TyposquattingCheckerEnabled" `
| Select-Object -ExpandProperty "TyposquattingCheckerEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.16"
Task = "Ensure 'Enhance images enabled' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "EdgeEnhanceImagesEnabled" `
| Select-Object -ExpandProperty "EdgeEnhanceImagesEnabled"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.17"
Task = "Ensure 'Force WebSQL to be enabled' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "WebSQLAccess" `
| Select-Object -ExpandProperty "WebSQLAccess"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.18"
Task = "Ensure 'Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed" `
| Select-Object -ExpandProperty "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.20"
Task = "Block all extensions not on allow list"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist" `
-Name "1" `
| Select-Object -ExpandProperty "1"
if ($regValue -ne "*") {
return @{
Message = "Registry value is '$regValue'. Expected: *"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-CIS-1.0.0#RegistrySettings.ps1
+5650
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-DISA-V1R16#RegistrySettings.ps1
+4968
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-MS-2004#RegistrySettings.ps1
+4860
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Office Enterprise-CIS-1.2.0#RegistrySettings.ps1
+11884
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1
+4215
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "200"
Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "201"
Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "202"
Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "203"
Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "204"
Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "205"
Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "206"
Task = "(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "207"
Task = "(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 10 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "208"
Task = "(ND) Ensure 'Reset account lockout counter after' is set to '15 or`nmore minute(s)'. "
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AuditPolicies.ps1
+77
View File
@@ -0,0 +1,77 @@
# Common
function Get-AuditPolicySubcategoryGUID {
Param(
[Parameter(Mandatory = $true)]
[AllowEmptyString()]
[string] $Subcategory
)
$map = @{
"Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}"
"Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}"
"System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}"
"IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}"
"Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}"
"Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}"
"Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}"
"Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}"
"IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}"
"IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}"
"IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}"
"Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}"
"Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}"
"Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}"
"User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}"
"Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}"
"File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}"
"Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}"
"Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}"
"SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}"
"Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}"
"Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}"
"Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}"
"File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}"
"Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}"
"Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}"
"Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}"
"Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}"
"Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}"
"Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}"
"Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}"
"Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}"
"Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}"
"Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}"
"Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}"
"DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}"
"RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}"
"Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}"
"Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}"
"Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}"
"Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}"
"Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}"
"MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}"
"Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}"
"Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}"
"User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}"
"Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}"
"Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}"
"Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}"
"Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}"
"Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}"
"Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}"
"Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}"
"Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}"
"Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}"
"Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}"
"Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}"
"Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}"
"Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}"
}
if ($map.ContainsKey($Subcategory)) {
return $map[$Subcategory]
}
return ""
}
# Tests
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings.ps1
+12419
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions.ps1
+156
View File
@@ -0,0 +1,156 @@
[AuditTest] @{
Id = "235"
Task = "(ND, NE) Configure 'Accounts: Rename administrator account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "236"
Task = "(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "237"
Task = "(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. "
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "238"
Task = "(ND, NE) Configure 'Accounts: Rename guest account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "249"
Task = "(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "263"
Task = "(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights.ps1
+1479
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies.ps1
+1502
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings.ps1
+711
View File
@@ -0,0 +1,711 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\Firewall.ps1"
[AuditTest] @{
Id = "4.1.1"
Task = "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "CrashOnAuditFail" `
| Select-Object -ExpandProperty "CrashOnAuditFail"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.1.2"
Task = "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "SCENoApplyLegacyAuditPolicy" `
| Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.2.1.1"
Task = "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogFilePath"
$expectedValue = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log";
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.1.2"
Task = "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogFileSize"
$expectedValue = 16384;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.1.3"
Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogDroppedPackets"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.1.4"
Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogSuccessfulConnections"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.1"
Task = "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging"
$key = "LogFilePath"
$expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log";
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.2"
Task = "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
$key = "LogFileSize"
$expectedValue = 16384;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.3"
Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
$key = "LogDroppedPackets"
$expectedValue = 1;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.4"
Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
$key = "LogSuccessfulConnections"
$expectedValue = 1;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.1"
Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "AllowLocalPolicyMerge"
$expectedValue = 0;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.2"
Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "AllowLocalIPsecPolicyMerge"
$expectedValue = 0;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.3"
Task = "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
$key = "LogFilePath"
$expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log";
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.4"
Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
$key = "LogFileSize"
$expectedValue = 16384;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.3.1.1"
Task = "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" `
-Name "WarningLevel" `
| Select-Object -ExpandProperty "WarningLevel"
if (($regValue -gt 90)) {
return @{
Message = "Registry value is '$regValue'. Expected: x <= 90"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.1.1"
Task = "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 32768)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.1.2"
Task = "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.2.1"
Task = "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 32768)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.2.2"
Task = "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.3.1"
Task = "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 196608)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 196608"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.3.2"
Task = "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.4.1"
Task = "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 32768)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.4.2"
Task = "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.3.1"
Task = "Ensure 'Include command line in process creation events' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
-Name "ProcessCreationIncludeCmdLine_Enabled" `
| Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.4.2"
Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name "EnableScriptBlockLogging" `
| Select-Object -ExpandProperty "EnableScriptBlockLogging"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.4.3"
Task = "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" `
-Name "EnableTranscripting" `
| Select-Object -ExpandProperty "EnableTranscripting"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies.ps1
+171
View File
@@ -0,0 +1,171 @@
[AuditTest] @{
Id = "200"
Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "201"
Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "202"
Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "203"
Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "204"
Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "205"
Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AuditPolicies.ps1
+77
View File
@@ -0,0 +1,77 @@
# Common
function Get-AuditPolicySubcategoryGUID {
Param(
[Parameter(Mandatory = $true)]
[AllowEmptyString()]
[string] $Subcategory
)
$map = @{
"Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}"
"Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}"
"System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}"
"IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}"
"Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}"
"Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}"
"Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}"
"Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}"
"IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}"
"IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}"
"IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}"
"Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}"
"Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}"
"Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}"
"User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}"
"Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}"
"File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}"
"Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}"
"Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}"
"SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}"
"Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}"
"Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}"
"Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}"
"File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}"
"Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}"
"Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}"
"Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}"
"Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}"
"Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}"
"Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}"
"Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}"
"Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}"
"Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}"
"Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}"
"Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}"
"DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}"
"RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}"
"Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}"
"Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}"
"Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}"
"Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}"
"Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}"
"MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}"
"Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}"
"Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}"
"User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}"
"Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}"
"Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}"
"Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}"
"Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}"
"Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}"
"Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}"
"Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}"
"Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}"
"Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}"
"Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}"
"Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}"
"Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}"
"Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}"
}
if ($map.ContainsKey($Subcategory)) {
return $map[$Subcategory]
}
return ""
}
# Tests
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings.ps1
+8320
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "235"
Task = "(ND, NE) Configure 'Accounts: Rename administrator account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "236"
Task = "(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "237"
Task = "(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. "
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "238"
Task = "(ND, NE) Configure 'Accounts: Rename guest account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "263"
Task = "(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights.ps1
+1385
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings.ps1
+289
View File
@@ -0,0 +1,289 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$avstatus = CheckForActiveAV
$windefrunning = CheckWindefRunning
if((Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise Evaluation" -or
(Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise"){
[AuditTest] @{
Id = "3.1.1"
Task = "Configuration of the lowest possible telemetry-level (Enterprise Windows 10)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" `
-Name "AllowTelemetry" `
| Select-Object -ExpandProperty "AllowTelemetry"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
}
else{
[AuditTest] @{
Id = "3.1.1"
Task = "Configuration of the lowest possible telemetry-level (Non-Enterprise Windows 10)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" `
-Name "AllowTelemetry" `
| Select-Object -ExpandProperty "AllowTelemetry"
$saferClients = @("*Server*","*Education*","*Enterprise*")
$productname = Get-ComputerInfo | select -ExpandProperty OsName
if (($productname -notcontains $saferClients) -and ($regValue -eq 1)){
return @{
Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'."
Status = "Warning"
}
}
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
}
[AuditTest] @{
Id = "3.1.2 A"
Task = "Deactivation of the telemetry service and ETW-sessions - disable service DiagTrack"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.2 B"
Task = "Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diagtrack-Listener"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.3 A"
Task = "Deactivation of telemetry according to Microsoft - Disable Windows Update Service"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.3 B"
Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPS"
Test = {
try {
if($avstatus){
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "SpynetReporting" `
| Select-Object -ExpandProperty "SpynetReporting"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.3 C"
Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample files"
Test = {
try {
if($avstatus){
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "SubmitSamplesConsent" `
| Select-Object -ExpandProperty "SubmitSamplesConsent"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AccountPolicies.ps1
+199
View File
@@ -0,0 +1,199 @@
[AuditTest] @{
Id = "Medium-001"
Task = "Ensure 'Account lockout duration' is set to 0"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-002"
Task = "Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-003"
Task = " Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -ne 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x == 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-146"
Task = "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-147"
Task = "Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-148"
Task = "Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-149"
Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AuditPolicies.ps1
+1217
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#RegistrySettings.ps1
+12743
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#SecurityOptions.ps1
+110
View File
@@ -0,0 +1,110 @@
[AuditTest] @{
Id = "High-032"
Task = "Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-005"
Task = "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-069"
Task = "Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-208"
Task = "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#UserRights.ps1
+926
View File
@@ -0,0 +1,926 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "Medium-013"
Task = "Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-014"
Task = "Ensure 'Deny access to this computer from the network' is set to 'NT AUTHORITY\Local Account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-040"
Task = "Ensure 'Manage auditing and security log' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-171"
Task = "Ensure 'Deny log on through Remote Desktop Services' is set to 'Administrators, NT AUTHORITY\Local Account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-185"
Task = "Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-232"
Task = "Ensure 'Back up files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-233"
Task = "Ensure 'Restore files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-234"
Task = "Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-235"
Task = "Ensure 'Act as part of the operating system' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-236"
Task = "Ensure 'Allow log on locally' is set to 'Administrators, Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-545"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-240"
Task = "Ensure 'Create a pagefile' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-241"
Task = "Ensure 'Create a token object' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-242"
Task = "Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-19"
"S-1-5-20"
"S-1-5-6"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-243"
Task = "Ensure 'Create permanent shared objects' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-244"
Task = "Ensure 'Debug programs' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-245"
Task = "Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-246"
Task = "Ensure 'Force shutdown from a remote system' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-247"
Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-19"
"S-1-5-20"
"S-1-5-6"
"S-1-5-32-568"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-248"
Task = "Ensure 'Load and unload device drivers' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-249"
Task = "Ensure 'Lock pages in memory' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-250"
Task = "Ensure 'Modify firmware environment values' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-251"
Task = "Ensure 'Perform volume maintenance tasks' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-252"
Task = "Ensure 'Profile single process' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-253"
Task = "Ensure 'Take ownership of files or other objects' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AccountPolicies.ps1
+283
View File
@@ -0,0 +1,283 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 365 -or $setPolicy -le 0) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#RegistrySettings.ps1
+17452
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#UserRights.ps1
+1488
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-63405"
Task = "Windows 10 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63409"
Task = "The number of allowed bad logon attempts must be configured to 3 or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63413"
Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63415"
Task = "The password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63419"
Task = "The maximum password age must be configured to 60 days or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63421"
Task = "The minimum password age must be configured to at least 1 day."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63423"
Task = "Passwords must, at a minimum, be 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63427"
Task = "The built-in Microsoft password complexity filter must be enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63429"
Task = "Reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AuditPolicies.ps1
+1559
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#RegistrySettings.ps1
+4142
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "V-63601"
Task = "The built-in administrator account must be disabled."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63611"
Task = "The built-in guest account must be disabled."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63619"
Task = "The built-in administrator account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63625"
Task = "The built-in guest account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63739"
Task = "Anonymous SID/Name translation must not be allowed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#UserRights.ps1
+956
View File
@@ -0,0 +1,956 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$hyperVStatus = CheckHyperVStatus
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") {
return @{
Account = $null
Sid = $sidAccount.Value
}
} else {
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "V-63843"
Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63845"
Task = "The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"Administrators"
"Remote Desktop Users"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63847"
Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63851"
Task = "The Allow log on locally user right must only be assigned to the Administrators and Users groups."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"Administrators"
"Users"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63853"
Task = "The Back up files and directories user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63857"
Task = "The Create a pagefile user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63859"
Task = "The Create a token object user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63861"
Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"Administrators"
"LOCAL SERVICE"
"NETWORK SERVICE"
"SERVICE"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63863"
Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63865"
Task = "The Create symbolic links user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63869"
Task = "The Debug programs user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63871"
Task = "The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"Guests"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63877"
Task = "The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"]
$identityAccounts = @(
"Enterprise Admins"
"Domain Admins"
"Guests"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63879"
Task = "The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"Enterprise Admins"
"Domain Admins"
"Local account"
"Guests"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63881"
Task = "The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63883"
Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63889"
Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"Administrators"
"LOCAL SERVICE"
"NETWORK SERVICE"
"SERVICE"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63917"
Task = "The Load and unload device drivers user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63925"
Task = "The Lock pages in memory user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63927"
Task = "The Manage auditing and security log user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63931"
Task = "The Modify firmware environment values user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63933"
Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63935"
Task = "The Profile single process user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63939"
Task = "The Restore files and directories user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63941"
Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AccountPolicies.ps1
+196
View File
@@ -0,0 +1,196 @@
[AuditTest] @{
Id = "AccountPolicy-216"
Task = "Ensure 'MinimumPasswordLength' is set to '14'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-217"
Task = "Ensure 'PasswordComplexity' is set to '1'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-218"
Task = "Ensure 'PasswordHistorySize' is set to '24'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-219"
Task = "Ensure 'LockoutBadCount' is set to '10'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 10 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-220"
Task = "Ensure 'ResetLockoutCount' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-221"
Task = "Ensure 'LockoutDuration' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-222"
Task = "Ensure 'ClearTextPassword' is set to '0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AuditPolicies.ps1
+1388
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#RegistrySettings.ps1
+10968
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#SecurityOptions.ps1
+26
View File
@@ -0,0 +1,26 @@
[AuditTest] @{
Id = "SecurityOption-169"
Task = "Ensure 'LSAAnonymousNameLookup' is set to '0'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#UserRights.ps1
+882
View File
@@ -0,0 +1,882 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$hyperVStatus = CheckHyperVStatus
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") {
return @{
Account = $null
Sid = $sidAccount.Value
}
} else {
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "UserRight-170"
Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-171"
Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-172"
Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-173"
Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-174"
Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-175"
Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-176"
Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-177"
Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-178"
Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-179"
Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if ($missingUsers.Count -gt 0) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-180"
Task = "Ensure 'Access this computer from the network' is set to 'Administrator, Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-181"
Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-6"
"S-1-5-19"
"S-1-5-20"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-182"
Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-183"
Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-6"
"S-1-5-19"
"S-1-5-20"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-184"
Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-185"
Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-186"
Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-545"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-187"
Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-188"
Task = "Ensure 'Debug programs' is set to 'Administrators'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-189"
Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-190"
Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-191"
Task = "Ensure 'SeTcbPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-192"
Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 5 -or $setPolicy -le 0) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#RegistrySettings.ps1
+16305
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#UserRights.ps1
+1312
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AccountPolicies.ps1
+284
View File
@@ -0,0 +1,284 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if ($setPolicy -eq -1) {
#Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#RegistrySettings.ps1
+18823
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.1"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.3"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected any other name than 'Administrator'"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected any other name than 'Guest' or 'Gast'"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#UserRights.ps1
+1509
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AccountPolicies.ps1
+196
View File
@@ -0,0 +1,196 @@
[AuditTest] @{
Id = "AccountPolicy-361"
Task = "Ensure 'MinimumPasswordLength' is set to '14' character(s)."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-362"
Task = "The built-in Windows password complexity policy must be enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-363"
Task = "The password history must be configured to 24 passwords remembered"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-364"
Task = "Ensure 'LockoutBadCount' is set to '10' invalid logon attempt(s)"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-365"
Task = "Ensure 'Reset account lockout counter after' is set to '10 minutes'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 10 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-366"
Task = "Ensure 'LockoutDuration' is set to '10 minutes'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 10 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-367"
Task = "Reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AuditPolicies.ps1
+1388
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#RegistrySettings.ps1
+12011
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#SecurityOptions.ps1
+26
View File
@@ -0,0 +1,26 @@
[AuditTest] @{
Id = "SecurityOption-142"
Task = "Anonymous SID/Name translation must not be allowed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#UserRights.ps1
+875
View File
@@ -0,0 +1,875 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "UserRight-143"
Task = "Ensure 'Manage auditing and security log' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-144"
Task = "Ensure 'Restore files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-145"
Task = "Ensure 'Take ownership of files or other objects' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-146"
Task = "Ensure 'Back up files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-147"
Task = "Ensure 'Deny log on through Remote Desktop Services' to include 'Local account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-148"
Task = "Ensure 'Create permanent shared objects' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-149"
Task = "Ensure 'Perform volume maintenance tasks' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-150"
Task = "Ensure 'Load and unload device drivers' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-151"
Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-152"
Task = "Ensure 'Deny access to this computer from the network' is set to 'Local account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-153"
Task = "Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-154"
Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed]"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"S-1-5-19"
"S-1-5-20"
"S-1-5-32-544"
"S-1-5-6"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-155"
Task = "Ensure 'Create a token object' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-156"
Task = "Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"S-1-5-19"
"S-1-5-20"
"S-1-5-32-544"
"S-1-5-6"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-157"
Task = "Ensure 'Modify firmware environment values' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-158"
Task = "The Create a pagefile user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-159"
Task = "Ensure 'Allow log on locally' is set to 'Administrators, Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-545"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-160"
Task = "Ensure 'Force shutdown from a remote system' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-161"
Task = "Ensure 'Debug programs' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-162"
Task = "Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-163"
Task = "Ensure 'Profile single process' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-164"
Task = "Ensure 'Act as part of the operating system' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-165"
Task = "Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#RegistrySettings.ps1
+16049
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#UserRights.ps1
+1311
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 10 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AuditPolicies.ps1
+1388
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#RegistrySettings.ps1
+10042
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings.ps1
+144
View File
@@ -0,0 +1,144 @@
[AuditTest] @{
Id = "2.0"
Task = "Ensure 'Enable DCOM Hardening' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RequireIntegrityActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RequireIntegrityActivationAuthenticationLevel"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.1"
Task = "Ensure 'Raise Authentication Level' is set to 'Raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RaiseActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RaiseActivationAuthenticationLevel"
if (($regValue -ne 2)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.0"
Task = "IPv6 Configuration Policy: Prefer IPv4 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0x20 (32)')"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" `
-Name "DisabledComponents" `
| Select-Object -ExpandProperty "DisabledComponents"
if (($regValue -ne 32)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 32"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.0"
Task = "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "ConsentPromptBehaviorUser" `
| Select-Object -ExpandProperty "ConsentPromptBehaviorUser"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights.ps1
+102
View File
@@ -0,0 +1,102 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "1.0"
Task = "Ensure 'Debug programs' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 365 -or $setPolicy -le 0) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0 "
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15 -or $setPolicy -gt 99999) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 and x <= 99999"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 99999 -or $setPolicy -lt 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 and x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AuditPolicies.ps1
+1922
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#RegistrySettings.ps1
+12455
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#SecurityOptions.ps1
+133
View File
@@ -0,0 +1,133 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#UserRights.ps1
+1937
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-1097"
Task = "The number of allowed bad logon attempts must meet minimum requirements."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1098"
Task = "The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1099"
Task = "Windows 2012 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1104"
Task = "The maximum password age must meet requirements."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1105"
Task = "The minimum password age must meet requirements."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -eq 0)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1107"
Task = "The password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1150"
Task = "The built-in Windows password complexity policy must be enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-2372"
Task = "Reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-6836"
Task = "Passwords must, at a minimum, be 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AuditPolicies.ps1
+1217
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#RegistrySettings.ps1
+6330
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AccountPolicies.ps1
+283
View File
@@ -0,0 +1,283 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AuditPolicies.ps1
+2036
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#RegistrySettings.ps1
+12380
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#SecurityOptions.ps1
+133
View File
@@ -0,0 +1,133 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#UserRights.ps1
+1984
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-1.12#UserRights.ps1
+71
View File
@@ -0,0 +1,71 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$hyperVStatus = CheckHyperVStatus
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-73309"
Task = "Windows 2016 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73311"
Task = "Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73313"
Task = "Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73315"
Task = "Windows Server 2016 password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73317"
Task = "Windows Server 2016 maximum password age must be configured to 60 days or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73319"
Task = "Windows Server 2016 minimum password age must be configured to at least one day."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -eq 0)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73321"
Task = "Windows Server 2016 minimum password length must be configured to 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73323"
Task = "Windows Server 2016 must have the built-in Windows password complexity policy enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73325"
Task = "Windows Server 2016 reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AuditPolicies.ps1
+1502
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#RegistrySettings.ps1
+3437
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#SecurityOptions.ps1
+104
View File
@@ -0,0 +1,104 @@
[AuditTest] @{
Id = "V-73623"
Task = "Windows Server 2016 built-in administrator account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73625"
Task = "Windows Server 2016 built-in guest account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73665"
Task = "Anonymous SID/Name translation must not be allowed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73809"
Task = "Windows Server 2016 built-in guest account must be disabled."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "AccountPolicy-001"
Task = "Ensure 'MinimumPasswordAge' is set to '1'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-002"
Task = "Ensure 'MaximumPasswordAge' is set to '60'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 60) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: 60"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-003"
Task = "Ensure 'MinimumPasswordLength' is set to '14'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-004"
Task = "Ensure 'PasswordComplexity' is set to '1'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-005"
Task = "Ensure 'PasswordHistorySize' is set to '24'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-006"
Task = "Ensure 'LockoutBadCount' is set to '10'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-007"
Task = "Ensure 'ResetLockoutCount' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-008"
Task = "Ensure 'LockoutDuration' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-009"
Task = "Ensure 'ClearTextPassword' is set to '0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AuditPolicies.ps1
+1274
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#RegistrySettings.ps1
+3658
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#UserRights.ps1
+1031
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AccountPolicies.ps1
+283
View File
@@ -0,0 +1,283 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15 -or $setPolicy -gt 99999) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 5 -or $setPolicy -le 0) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 99999 -or $setPolicy -lt 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AuditPolicies.ps1
+2036
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#RegistrySettings.ps1
+12919
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#SecurityOptions.ps1
+133
View File
@@ -0,0 +1,133 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#UserRights.ps1
+1979
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-93141"
Task = "Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93143"
Task = "Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93145"
Task = "Windows Server 2019 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93459"
Task = "Windows Server 2019 must have the built-in Windows password complexity policy enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93463"
Task = "Windows Server 2019 minimum password length must be configured to 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93465"
Task = "Windows Server 2019 reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93471"
Task = "Windows Server 2019 minimum password age must be configured to at least one day."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -eq 0)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93477"
Task = "Windows Server 2019 maximum password age must be configured to 60 days or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-93479"
Task = "Windows Server 2019 password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AuditPolicies.ps1
+1502
View File
File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More