emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
Emily
2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+336
View File
@@ -0,0 +1,336 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
**/Properties/launchSettings.json
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
# CodeRush
.cr/
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Visual Studio Code
.vscode/
# Custom
*/testreport.html
ATAPAuditor/ATAPAuditor.psd1
+45
View File
@@ -0,0 +1,45 @@
@{
RootModule = 'ATAPAuditor.psm1'
ModuleVersion = '5.12.1'
GUID = '1662a599-4e3a-4f72-a844-9582077b589e'
Author = 'Phan Quang Nguyen, Daniel Ströher, Robin Wernz'
CompanyName = 'FB Pro GmbH'
Copyright = '(c) 2025 FB Pro GmbH. All rights reserved.'
Description = 'AuditTAP allows you to check operating systems and applications against industry approved standards for secure configuration and delivers the results in form of a HTML based report document.'
PowerShellVersion = '5.0'
RequiredModules = @(
'ATAPHtmlReport'
)
# RequiredAssemblies = @()
# ScriptsToProcess = @()
# TypesToProcess = @()
# FormatsToProcess = @()
# NestedModules = @()
FunctionsToExport = @(
'Save-ATAPHtmlReport'
'Invoke-ATAPReport'
'Get-ATAPReport'
'Get-AuditResource'
'Test-AuditGroup'
)
CmdletsToExport = @()
VariablesToExport = ''
AliasesToExport = @(
'shr'
)
# ModuleList = @()
# FileList = @()
PrivateData = @{
PSData = @{
Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html')
LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE'
ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation'
# IconUri = ''
# ReleaseNotes = ''
} # End of PSData hashtable
} # End of PrivateData hashtable
# HelpInfoURI = ''
# DefaultCommandPrefix = 'ATAP'
}
ATAPAuditor/ATAPAuditor.psm1
+931
View File
@@ -0,0 +1,931 @@
using namespace Microsoft.PowerShell.Commands
#region Initialization
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
. "$RootPath\Helpers\HashHelper.ps1"
$script:atapReportsPath = $env:ATAPReportPath
if (-not $script:atapReportsPath) {
$script:atapReportsPath = [Environment]::GetFolderPath('MyDocuments') | Join-Path -ChildPath 'ATAPReports'
}
# for license status function. if called multiple times the cache will be used
$LicenseStatusCache = $null
#endregion
#region Classes
class AuditTest {
[string] $Id
[string] $Task
[hashtable[]] $Constraints
[scriptblock] $Test
}
enum AuditInfoStatus {
True
False
Warning
None
Error
}
class AuditInfo {
[string] $Id
[string] $Task
[AuditInfoStatus] $Status
[string] $Message
}
class ReportSection {
[string] $Title
[string] $Description
[AuditInfo[]] $AuditInfos
[ReportSection[]] $SubSections
}
class Report {
[string] $Title
[string] $ModuleName
[string] $AuditorVersion
[hashtable] $HostInformation
[string[]] $BasedOn
[ReportSection[]] $Sections
[RSFullReport] $RSReport
[FoundationReport] $FoundationReport
}
###################################################
####### SYSTEM INFORMATION Classes ##########
###################################################
class SystemInformation {
[SoftwareInformation] $SoftwareInformation
[HardwareInformation] $HardwareInformation
}
class SoftwareInformation {
[string] $Hostname
[string] $SystemUptime
[string] $OperatingSystem
[string] $BuildNumber
[string] $OSArchitecture
[string] $LicenseStatus
[string] $InstallationLanguage
[string] $DomainRole
[string] $KernelVersion
}
class HardwareInformation {
[string] $SystemManufacturer
[string] $SystemSKU
[string] $SystemModel
[string] $SystemSerialnumber
[string] $BiosVersion
[string] $FreeDiskSpace
[string] $FreePhysicalMemory
}
### Begin Foundation Classes ###
class FoundationReport {
[ReportSection[]] $Sections
}
### End Foundation Classes
# RiskScore Classes
enum RSEndResult {
Critical
High
Medium
Low
Unknown
}
class RSFullReport {
[RSSeverityReport] $RSSeverityReport
[RSQuantityReport] $RSQuantityReport
}
class RSSeverityReport {
[AuditInfo[]] $AuditInfos
[ResultTable[]] $ResultTable
[RSEndResult] $Endresult
}
class RSQuantityReport {
}
class ResultTable {
[int] $Success
[int] $Failed
}
#endregion
#region helpers
function IsIn-FullLanguageMode {
try {
$languageMode = $ExecutionContext.SessionState.LanguageMode
if ($languageMode -eq "FullLanguage") {
return $true
}
}
catch {
return $false
}
# returns alternate language modes if not FullLanguage
return $languageMode
}
function Start-ModuleTest {
$moduleList = @(Get-Module -ListAvailable).Name | Select-Object -Unique
$necessaryModules = @(
"Microsoft.PowerShell.LocalAccounts",
"Microsoft.PowerShell.Management",
"Microsoft.PowerShell.Security",
"Microsoft.PowerShell.Utility",
"TrustedPlatformModule",
"NetSecurity",
"CimCmdlets",
"SmbShare",
"Defender",
"DISM"
#Modules only necessary for specific server tests
#"IISAdministration",
#"SQLServer",
)
$missingModules = @()
foreach ($module in $necessaryModules) {
if ($moduleList -notcontains $module) {
$missingModules += $module
}
}
if ($missingModules.Count -gt 0) {
Write-Warning "Missing module(s) found. Missing modules can lead to errors. Following modules are missing:"
for ($i = 0; $i -lt $missingModules.Count; $i++) {
Write-Warning $missingModules[$i]
}
Write-Warning "Check out this link on how to install modules: https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-3.x"
}
}
function Get-LicenseStatus {
param(
$SkipLicenseCheck
)
if ($LicenseStatusCache) {
return $LicenseStatusCache
}
if ($SkipLicenseCheck -eq $true) {
$LicenseStatusCache = "License check has been skipped."
return $LicenseStatusCache
}
Write-Host "Checking operating system activation status. This may take a while..."
$license = Get-CimInstance SoftwareLicensingProduct -Filter "Name like 'Windows%'" | Where-Object { $_.PartialProductKey } | Select-Object -First 1
$LicenseStatusCache = switch ($license.LicenseStatus) {
"0" { "Unlicensed" }
"1" { "Licensed" }
"2" { "OOBGrace" }
"3" { "OOTGrace" }
"4" { "NonGenuineGrace" }
"5" { "Notification" }
"6" { "ExtendedGrace" }
}
return $LicenseStatusCache
}
function IsIIS10Executable {
if ((Get-Module -ListAvailable IISAdministration) -eq $null) {
return $false
}
return $true
}
function Test-ArrayEqual {
[OutputType([bool])]
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[AllowNull()]
[AllowEmptyCollection()]
[array]
$Array1,
[Parameter(Mandatory = $true)]
[AllowNull()]
[AllowEmptyCollection()]
[array]
$Array2
)
if ($null -eq $Array1) {
$Array1 = @()
}
if ($null -eq $Array2) {
$Array2 = @()
}
if ($Array1.Count -ne $Array2.Count) {
return $false
}
foreach ($a in $Array1) {
if ($a -notin $Array2) {
return $false
}
}
return $true
}
# Get domain role
# 0 {"Standalone Workstation"}
# 1 {"Member Workstation"}
# 2 {"Standalone Server"}
# 3 {"Member Server"}
# 4 {"Backup Domain Controller"}
# 5 {"Primary Domain Controller"}
function Get-DomainRole {
$domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole
switch ($domainRole) {
0 { $result = "Standalone Workstation" }
1 { $result = "Member Workstation" }
2 { $result = "Standalone Server" }
3 { $result = "Member Server" }
4 { $result = "Backup Domain Controller" }
5 { $result = "Primary Domain Controller" }
}
return $result
}
function checkReportNameWithOSSystem {
[CmdletBinding()]
param (
[Parameter()]
[string]
$ReportName
)
# helpers
function handleReportNameDiscrepancy {
param (
[Parameter()]
[string]
$ReportName,
[Parameter()]
[string]
$OsName,
[Parameter()]
[bool]
$ShouldBeStandAlone = $False
)
if ($ShouldBeStandAlone -eq $True) {
Write-Host "You chose the Reportname $ReportName but the operating system is domain-joined. Be aware that a different report type could affect the result."
}
else {
Write-Host "You chose the Reportname $ReportName but the operating system is $OsName. Be aware that a different report type could affect the result."
}
Write-Host ""
Write-Host "Choose one of the following options:"
Write-Host "[1] Continue [2] Exit Script" -ForegroundColor Yellow
$in = Read-Host
switch ($in) {
1 {
Write-Host "You chose to continue"
return $ReportName
}
2 {
Write-Host "You chose to exit the script"
return "Exit"
}
default {
Write-Host "Your input was invalid, call Save-ATAPHtmlReport again with your desired report"
return "Exit"
}
}
}
function returnSuitingReportName {
[CmdletBinding()]
param (
[Parameter()]
[string]
$ReportName,
[Parameter()]
[string]
$OsName,
[Parameter()]
[string]
$OsType,
[Parameter()]
[bool]
$ShouldBeStandAlone = $False
)
###
# similarity check
function isOsNameSimilarToType {
[CmdletBinding()]
param (
[Parameter()]
[string]
$OsName,
[Parameter()]
[string]
$OsType
)
if ($OsName -match $OsType) {
return $true
}
return $false
}
if (-not(isOsNameSimilarToType -OsName $osName -OsType $osType)) {
return handleReportNameDiscrepancy -ReportName $ReportName -OsName $osName
}
###
# should be standalone
if ($ShouldBeStandAlone -eq $True) {
function IsDomainedJoined {
if ((Get-CimInstance win32_computersystem).partofdomain) {
return $true
}
return $false
}
$isDomainJoined = IsDomainedJoined
if ($isDomainJoined -eq $True) {
return handleReportNameDiscrepancy -ReportName $ReportName -OsName $osName -ShouldBeStandAlone $True
}
}
return $ReportName
}
#helpers end
try {
$osName = (Get-ComputerInfo OsName).OsName
if ([string]::IsNullOrEmpty($osName)) {
return $ReportName # return initial ReportName and skip comparison
}
function Get-OsType {
switch ($ReportName) {
"Microsoft Windows Server 2025" { return "Microsoft Windows Server 2025" }
"Microsoft Windows Server 2022" { return "Microsoft Windows Server 2022" }
"Microsoft Windows Server 2019" { return "Microsoft Windows Server 2019" }
"Microsoft Windows Server 2016" { return "Microsoft Windows Server 2016" }
"Microsoft Windows Server 2012" { return "Microsoft Windows Server 2012" }
"Microsoft Windows 11" { return "Microsoft Windows 11" }
"Microsoft Windows 11 Stand-alone" { return "Microsoft Windows 11" }
"Microsoft Windows 10" { return "Microsoft Windows 10" }
"Microsoft Windows 10 Stand-alone" { return "Microsoft Windows 10" }
"Microsoft Windows 10 GDPR" { return "Microsoft Windows 10" }
"Microsoft Windows 10 BSI" { return "Microsoft Windows 10" }
"Microsoft Windows 7" { return "Microsoft Windows 7" }
}
}
$osType = Get-OsType
switch ($ReportName) {
"Microsoft Windows Server 2025" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows Server 2022" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows Server 2019" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows Server 2016" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows Server 2012" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows 11" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows 11 Stand-alone" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType -ShouldBeStandAlone $True
}
"Microsoft Windows 10" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows 10 Stand-alone" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType -ShouldBeStandAlone $True
}
"Microsoft Windows 10 GDPR" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows 10 BSI" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
"Microsoft Windows 7" {
return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType
}
}
return $ReportName
}
catch {
return $ReportName
}
}
### begin Foundation functions ###
function Get-FoundationReport {
[CmdletBinding()]
[OutputType([FoundationReport])]
$Sections = @(
[ReportSection] @{
Title = "Security Base Data"
SubSections = @(
[ReportSection] @{
Title = 'Platform Security'
AuditInfos = Test-AuditGroup "SBD - Platform Security"
}
[ReportSection] @{
Title = 'Windows Base Security'
AuditInfos = Test-AuditGroup "SBD - Windows Base Security"
}
[ReportSection] @{
Title = 'PowerShell Security'
AuditInfos = Test-AuditGroup "SBD - PowerShell Security"
}
[ReportSection] @{
Title = 'Connectivity Security'
AuditInfos = Test-AuditGroup "SBD - Connectivity Security"
}
[ReportSection] @{
Title = 'Application Control'
AuditInfos = Test-AuditGroup "SBD - Application Control"
}
)
}
)
return ([FoundationReport]@{
Sections = $Sections
})
}
# region for RiskScore functions
# function that calls all RiskScore-Subfunctions and generates the RSFullReport
function Get-RSFullReport {
[CmdletBinding()]
[OutputType([RSFullReport])]
$severity = Get-RSSeverityReport
return ([RSFullReport]@{
RSSeverityReport = $severity
})
}
# function to generate RiskSeverityReport
function Get-RSSeverityReport {
[CmdletBinding()]
[OutputType([RSSeverityReport])]
# Initialization
[AuditInfo[]]$tests = Test-AuditGroup "RSSeverityTests"
# gather results of tests and save it in resultTable
$resultTable = [ResultTable]::new()
foreach ($test in $tests) {
if ($test.AuditInfoStatus -EQ "True") {
$resultTable.Success += 1
}
if ($test.AuditInfostatus -ne "True") {
$resultTable.Failed += 1
}
}
return ([RSSeverityReport]@{
AuditInfos = $tests
ResultTable = $resultTable
Endresult = Get-RSSeverityEndResult($resultTable)
})
}
# helper for EndResult of RiskScoreSeverity
function Get-RSSeverityEndResult {
[CmdletBinding()]
[OutputType([RSEndResult])]
param (
[Parameter(Mandatory = $true)]
[ResultTable[]]
$resultTable
)
$result = "Unknown"
$f = $resultTable.Failed
if ($f -eq 0) {
$result = "Low"
}
if ($f -ge 1) {
$result = "Critical"
}
return $result
}
#endregion
<#
.SYNOPSIS
Tests a single AuditGroup.
.DESCRIPTION
This cmdlet tests a single AuditGroup from folder "AuditGroups". All tests are printed on the console. Can be combined to create own report.
.EXAMPLE
PS C:\> Test-AuditGroup "Google Chrome-CIS-2.0.0#RegistrySettings"
This runs tests defined in the AuditGroup file called 'Google Chrome-CIS-2.0.0#RegistrySettings'.
.PARAMETER GroupName
The name of the AuditGroup.
#>
function Test-AuditGroup {
[CmdletBinding()]
[OutputType([AuditInfo[]])]
param(
[Parameter(Mandatory = $true)]
[string]
$GroupName
)
#Windows OS
if ([System.Environment]::OSVersion.Platform -ne 'Unix') {
$tests = . "$RootPath\AuditGroups\$($GroupName).ps1"
}
#Linux OS
else {
$tests = . "$RootPath/AuditGroups/$($GroupName).ps1"
}
$i = 1
foreach ($test in $tests) {
[int]$p = $i++ / $tests.Count * 100
Write-Progress -Activity "Testing Report for '$GroupName'" -Status "Progress:" -PercentComplete $p
Write-Verbose "Testing $($test.Id)"
$message = "Test not implemented yet."
$status = [AuditInfoStatus]::None
#if audit test contains datatype "Constraints", proceed
if ($test.Constraints) {
$DomainRoleConstraint = $test.Constraints | Where-Object Property -EQ "DomainRole"
#get domain role of system
$currentRole = Get-DomainRole
#get domain roles, which are listed in AuditTest
$domainRoles = $DomainRoleConstraint.Values
if ($currentRole -notin $domainRoles) {
$roleValue = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole
switch ($roleValue) {
0 {
$message = 'Not applicable. This audit does not apply to Standalone Workstation.'
$status = [AuditInfoStatus]::None
}
1 {
$message = 'Not applicable. This audit does not apply to Member Workstation.'
$status = [AuditInfoStatus]::None
}
2 {
$message = 'Not applicable. This audit does not apply to Standalone Server.'
$status = [AuditInfoStatus]::None
}
3 {
$message = 'Not applicable. This audit does not apply to Member Server.'
$status = [AuditInfoStatus]::None
}
4 {
$message = 'Not applicable. This audit does not apply to Backup Domain Controller.'
$status = [AuditInfoStatus]::None
}
5 {
$message = 'Not applicable. This audit does not apply to Primary Domain Controller.'
$status = [AuditInfoStatus]::None
}
}
Write-Output ([AuditInfo]@{
Id = $test.Id
Task = $test.Task
Message = $message
Status = $status
})
continue
}
}
#Windows OS
if ([System.Environment]::OSVersion.Platform -ne 'Unix') {
$role = Get-Wmiobject -Class 'Win32_computersystem' -ComputerName $env:computername | Select-Object domainrole
if ($test.Task -match "(DC only)") {
if ($role.domainRole -ne 4 -and $role.domainRole -ne 5) {
$message = 'Not applicable. This audit does not apply to Member Server systems.'
$status = [AuditInfoStatus]::None
Write-Output ([AuditInfo]@{
Id = $test.Id
Task = $test.Task
Message = $message
Status = $status
})
continue
}
}
}
try {
$innerResult = & $test.Test
if ($null -ne $innerResult) {
$message = $innerResult.Message
$status = [AuditInfoStatus]$innerResult.Status
}
}
catch {
Write-Error $_
$message = "An error occured!"
$status = [AuditInfoStatus]::Error
}
Write-Output ([AuditInfo]@{
Id = $test.Id
Task = $test.Task
Message = $message
Status = $status
})
}
}
<#
.SYNOPSIS
Get an audit resource.
.DESCRIPTION
A resource provides abstration over an existing system resource. It is used by AuditTests.
.PARAMETER Name
The name of the resource.
.EXAMPLE
PS C:\> Get-AuditResource -Name "WindowsSecurityPolicy"
Gets the WindowsSecurityPolicy resource.
#>
function Get-AuditResource {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[string]
$Name
)
#Windows OS
if ([System.Environment]::OSVersion.Platform -ne 'Unix') {
if ($null -eq $script:loadedResources) {
return & "$RootPath\Resources\$($Name).ps1"
}
if (-not $script:loadedResources.ContainsKey($Name)) {
$script:loadedResources[$Name] = (& "$RootPath\Resources\$($Name).ps1")
}
}
#Linuxs OS
else {
if ($null -eq $script:loadedResources) {
return & "$RootPath/Resources/$($Name).ps1"
}
if (-not $script:loadedResources.ContainsKey($Name)) {
$script:loadedResources[$Name] = (& "$RootPath/Resources/$($Name).ps1")
}
}
return $script:loadedResources[$Name]
}
<#
.SYNOPSIS
Get all reports.
.DESCRIPTION
Find the reports installed on the system.
.PARAMETER ReportName
The name of the report.
.EXAMPLE
PS C:\> Get-ATAPReport
Gets all reports.
#>
function Get-ATAPReport {
[CmdletBinding()]
param (
[Parameter()]
[string]
$ReportName = "*"
)
#Windows OS
if ([System.Environment]::OSVersion.Platform -ne 'Unix') {
return Get-ChildItem "$RootPath\Reports\$ReportName.ps1" | Select-Object -Property BaseName
}
#Linux OS
return Get-ChildItem "$RootPath/Reports/$ReportName.ps1" | Select-Object -Property BaseName
}
<#
.SYNOPSIS
Invokes an ATAPReport
.DESCRIPTION
Long description
.EXAMPLE
PS C:\> ATAPReport -ReportName "Google Chrome"
This runs the report and outputs the logical report data.
.PARAMETER ReportName
The name of the report.
.OUTPUTS
Logical report data.
#>
function Invoke-ATAPReport {
[CmdletBinding()]
param (
[Alias('RN')]
[Parameter(Mandatory = $true)]
[string]
$ReportName
)
$script:loadedResources = @{}
# Load the module manifest
#Windows OS
try {
if ([System.Environment]::OSVersion.Platform -ne 'Unix') {
$moduleInfo = Import-PowerShellDataFile -Path "$RootPath\ATAPAuditor.psd1"
[string]$ReportName = checkReportNameWithOSSystem -ReportName $ReportName
try {
if ($ReportName -eq "Exit") {
throw
}
}
catch {
Write-Host "Script halted: Exiting..."
break
}
[Report]$report = (& "$RootPath\Reports\$ReportName.ps1")
$report.RSReport = Get-RSFullReport
$report.FoundationReport = Get-FoundationReport
}
#Linux OS
else {
$moduleInfo = Import-PowerShellDataFile -Path "$RootPath/ATAPAuditor.psd1"
[Report]$report = (& "$RootPath/Reports/$ReportName.ps1")
}
}
catch [System.Management.Automation.CommandNotFoundException] {
Write-Host "Either your input for -Reportname is faulty or the report does not resolve due to a bug. Please report this bug with the following errormessage:
1. ErrorException: $_
2. PositionMessage: $($_.InvocationInfo.PositionMessage)
3. ReportName: $ReportName"
break
}
$report.AuditorVersion = $moduleInfo.ModuleVersion
return $report
}
<#
.SYNOPSIS
The Audit Test Automation Package creates transparents reports about hardening compliance status
.DESCRIPTION
The Audit Test Automation Package gives you the ability to get an overview about the compliance status of several systems.
You can easily create HTML-reports and have a transparent overview over compliance and non-compliance of explicit setttings
and configurations in comparison to industry standards and hardening guides.
.EXAMPLE
PS C:\> Save-ATAPHtmlReport -ReportName "Microsoft Windows 10 Complete" -RiskScore -Path C:\Temp\report.html
This runs the 'Microsoft Windows 10 Complete' report, adding RiskScore to it and stores the resulting html file under C:\Temp using the file name report.html
.EXAMPLE
PS C:\> Save-ATAPHtmlReport -ReportName "Microsoft Windows 10 BSI" -RiskScore -Path C:\Temp
This runs the 'Microsoft Windows 10 BSI' report, adding RiskScore to it and stores the resulting html file under C:\Temp using the standard naming convention for file names <ReportName_Date_Time>.html
.EXAMPLE
PS C:\> Save-ATAPHtmlReport -ReportName "Microsoft Windows Server 2022" -Path C:\Temp
This runs the 'Microsoft Windows Server 2022' report, without adding RiskScore to it and stores the resulting html file under C:\Temp using the standard naming convention for file names <ReportName_Date_Time>.html
.EXAMPLE
PS C:\> Save-ATAPHtmlReport -ReportName "Google Chrome"
This runs the 'Google Chrome' report and stores the resulting html file (by default) under ~\Documents\ATAPReports
.EXAMPLE
PS C:\> Save-ATAPHtmlReport -ReportName "Ubuntu 20.04"
This runs the 'Ubuntu 20.04' report and stores the resulting html file (by default) under ~\Documents\ATAPReports
.PARAMETER ReportName
Determine, which OS shall be tested.
.PARAMETER Path
The path where the result html document should be stored.
.PARAMETER RiskScore
Add a RiskScore-Matrix to report (works only on Windows OS)
.PARAMETER MITRE
Add a MITRE ATT&CK headmap to report (works only on Windows OS)
.PARAMETER Force
If the parent directory doesn't exist it will be created.
.OUTPUTS
None.
#>
function Save-ATAPHtmlReport {
[CmdletBinding()]
param(
[Alias('RN')]
[Parameter(Mandatory = $true)]
[string]
$ReportName,
[Parameter(Mandatory = $false)]
[string]
$Path = ($script:atapReportsPath | Join-Path -ChildPath "$($ReportName)_$(Get-Date -UFormat %Y%m%d_%H%M%S).html"),
[Parameter(Mandatory = $false)]
[switch]
$RiskScore,
[Parameter(Mandatory = $false)]
[switch]
$SkipLicenseCheck,
# [Parameter(Mandatory = $false)]
# [switch]
# $MITRE,
[Parameter()]
[switch]
$Force
)
if ([Environment]::Is64BitProcess -eq $false) {
Write-Host "Please use 64-bit version of PowerShell in order to use AuditTAP. Closing..." -ForegroundColor red
return;
}
if (($languagemode = IsIn-FullLanguageMode) -ne $true) {
if ($languagemode -eq $false) {
Write-Host "The current language mode could not be determined. Ensure that AuditTAP is run in `"FullLanguage`" mode. For further information, contact your administrator. Closing..." -ForegroundColor red
}
else {
Write-Host "The current language mode is `"$languagemode`". Ensure that AuditTAP is run in `"FullLanguage`" mode. For further information, contact your administrator. Closing..." -ForegroundColor red
}
return
}
$parent = $path
if ($Path -match ".html") {
$parent = Split-Path -Path $Path
}
#if input path is not default one
if ($parent -ne $script:atapReportsPath) {
$pathCheck = Test-Path -Path $parent -PathType Container
#if path doesn't exist
if ($pathCheck -eq $False) {
if (-not [string]::IsNullOrEmpty($parent) -and -not (Test-Path $parent)) {
New-Item -ItemType Directory -Path $parent -Force | Out-Null
Write-Warning "Could not find Path. Path will be created: $parent"
}
else {
Write-Warning "Could not find Path. Report will be created inside default path: $($script:atapReportsPath)"
$Path = $($script:atapReportsPath)
}
}
}
Write-Verbose "OS-Check"
$isUnix = [System.Environment]::OSVersion.Platform -eq 'Unix'
if ($isUnix) {
[SystemInformation] $SystemInformation = (& "$PSScriptRoot\Helpers\ReportUnixOS.ps1")
}
else {
[SystemInformation] $SystemInformation = (& "$PSScriptRoot\Helpers\ReportWindowsOS.ps1")
Start-ModuleTest
if ($ReportName -eq "Microsoft IIS10") {
$isIIS10Executable = IsIIS10Executable
if ($isIIS10Executable -eq $false) {
Write-Warning "IIS10 Report not executable! IISAdministration module not available. Please install this module and try again. Exiting..."
return;
}
}
Write-Verbose "PS-Check"
$psVersion = $PSVersionTable.PSVersion
#PowerShell Major version not 5.*
if (($psVersion.Major -ne 5)) {
Write-Warning "ATAPAuditor is only compatible with PowerShell Version 5.1. Your version is $psVersion. Please open a PowerShell Version 5.1 session to continue!"
return;
}
#PowerShell version not 5.1
if (($psVersion.Major -eq 5) -and ($psVersion.Minor -eq 0)) {
Write-Warning "ATAPAuditor is only compatible with PowerShell Version 5.1. Your version is $psVersion. You need to upgrade to a higher Windows version!"
return;
}
}
$report = Invoke-ATAPReport -ReportName $ReportName
#hashes for each recommendation
if (!$isUnix) {
$SystemInformation.SoftwareInformation.LicenseStatus = Get-LicenseStatus $SkipLicenseCheck
}
$hashtable_sha256 = GenerateHashTable $report
$report | Get-ATAPHtmlReport -Path $Path -RiskScore:$RiskScore -MITRE:$MITRE -hashtable_sha256:$hashtable_sha256 -LicenseStatus:$LicenseStatus -SystemInformation:$SystemInformation
}
New-Alias -Name 'shr' -Value Save-ATAPHtmlReport
$completer = {
param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
Get-ChildItem "$RootPath\Reports\*.ps1" `
| Select-Object -ExpandProperty BaseName `
| ForEach-Object { "`"$_`"" } `
| Where-Object { $_ -like "*$wordToComplete*" }
}.GetNewClosure()
Register-ArgumentCompleter -CommandName Save-ATAPHtmlReport -ParameterName ReportName -ScriptBlock $completer
Register-ArgumentCompleter -CommandName shr -ParameterName ReportName -ScriptBlock $completer
ATAPAuditor/AuditGroups/CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings.ps1
+1852
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Debian Linux 11-CIS-1.0.0.ps1
+5295
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Debian Linux 12-CIS-1.0.1.ps1
+4115
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Enhanced security settings-FBPro-1.0#UserRights.ps1
+184
View File
@@ -0,0 +1,184 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "1.0"
Task = "Ensure 'Debug programs' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "2.1"
Task = "Ensure 'Enable DCOM Hardening' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RequireIntegrityActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RequireIntegrityActivationAuthenticationLevel"
if ($regValue -ne 0x00000001) {
return @{
Message = "Registry value is '$regValue'. Expected: 0x00000001"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.2"
Task = "Ensure 'Raise Authentication Level' is set to 'Raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RaiseActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RaiseActivationAuthenticationLevel"
if ($regValue -ne 0x00000002) {
return @{
Message = "Registry value is '$regValue'. Expected: 0x00000002"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1
+2402
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1
+1296
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1
+4854
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Edge-Microsoft-117#RegistrySettings.ps1
+684
View File
@@ -0,0 +1,684 @@
[AuditTest] @{
Id = "1.1.1"
Task = "Ensure 'Enable site isolation for every site' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SitePerProcess" `
| Select-Object -ExpandProperty "SitePerProcess"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "Ensure 'Supported authentication schemes' is set to 'ntlm, negotiate'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "AuthSchemes" `
| Select-Object -ExpandProperty "AuthSchemes"
if ($regValue -notmatch "^(ntlm\s*,\s*negotiate|negotiate\s*,\s*ntlm)$") {
return @{
Message = "Registry value is '$regValue'. Expected: ntlm, negotiate"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "Ensure 'Allow user-level native messaging hosts (installed without admin permissions)' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "NativeMessagingUserLevelHosts" `
| Select-Object -ExpandProperty "NativeMessagingUserLevelHosts"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SmartScreenEnabled" `
| Select-Object -ExpandProperty "SmartScreenEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "PreventSmartScreenPromptOverride" `
| Select-Object -ExpandProperty "PreventSmartScreenPromptOverride"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "PreventSmartScreenPromptOverrideForFiles" `
| Select-Object -ExpandProperty "PreventSmartScreenPromptOverrideForFiles"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "Ensure 'Allow users to proceed from the HTTPS warning page' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SSLErrorOverrideAllowed" `
| Select-Object -ExpandProperty "SSLErrorOverrideAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.8"
Task = "Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SmartScreenPuaEnabled" `
| Select-Object -ExpandProperty "SmartScreenPuaEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.9"
Task = "Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "BasicAuthOverHttpEnabled" `
| Select-Object -ExpandProperty "BasicAuthOverHttpEnabled"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.10"
Task = "Ensure 'Allow unconfigured sites to be reloaded in Internet Explorer mode' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InternetExplorerIntegrationReloadInIEModeAllowed" `
| Select-Object -ExpandProperty "InternetExplorerIntegrationReloadInIEModeAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.11"
Task = "Ensure 'Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "SharedArrayBufferUnrestrictedAccessAllowed" `
| Select-Object -ExpandProperty "SharedArrayBufferUnrestrictedAccessAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.12"
Task = "Ensure 'Specifies whether to allow websites to make requests to more-private network endpoints' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InsecurePrivateNetworkRequestsAllowed" `
| Select-Object -ExpandProperty "InsecurePrivateNetworkRequestsAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.13"
Task = "Ensure 'Enable browser legacy extension point blocking' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "BrowserLegacyExtensionPointsBlockingEnabled" `
| Select-Object -ExpandProperty "BrowserLegacyExtensionPointsBlockingEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.14"
Task = "Ensure 'Show the Reload in Internet Explorer mode button in the toolbar' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InternetExplorerModeToolbarButtonEnabled" `
| Select-Object -ExpandProperty "InternetExplorerModeToolbarButtonEnabled"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.15"
Task = "Ensure 'Configure Edge TyposquattingChecker' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "TyposquattingCheckerEnabled" `
| Select-Object -ExpandProperty "TyposquattingCheckerEnabled"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.16"
Task = "Ensure 'Enhance images enabled' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "EdgeEnhanceImagesEnabled" `
| Select-Object -ExpandProperty "EdgeEnhanceImagesEnabled"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.17"
Task = "Ensure 'Force WebSQL to be enabled' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "WebSQLAccess" `
| Select-Object -ExpandProperty "WebSQLAccess"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.18"
Task = "Ensure 'Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" `
-Name "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed" `
| Select-Object -ExpandProperty "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.20"
Task = "Block all extensions not on allow list"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist" `
-Name "1" `
| Select-Object -ExpandProperty "1"
if ($regValue -ne "*") {
return @{
Message = "Registry value is '$regValue'. Expected: *"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-CIS-1.0.0#RegistrySettings.ps1
+5650
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-DISA-V1R16#RegistrySettings.ps1
+4968
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-MS-2004#RegistrySettings.ps1
+4860
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Office Enterprise-CIS-1.2.0#RegistrySettings.ps1
+11884
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1
+4215
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "200"
Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "201"
Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "202"
Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "203"
Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "204"
Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "205"
Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "206"
Task = "(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "207"
Task = "(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 10 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "208"
Task = "(ND) Ensure 'Reset account lockout counter after' is set to '15 or`nmore minute(s)'. "
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AuditPolicies.ps1
+77
View File
@@ -0,0 +1,77 @@
# Common
function Get-AuditPolicySubcategoryGUID {
Param(
[Parameter(Mandatory = $true)]
[AllowEmptyString()]
[string] $Subcategory
)
$map = @{
"Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}"
"Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}"
"System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}"
"IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}"
"Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}"
"Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}"
"Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}"
"Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}"
"IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}"
"IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}"
"IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}"
"Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}"
"Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}"
"Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}"
"User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}"
"Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}"
"File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}"
"Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}"
"Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}"
"SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}"
"Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}"
"Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}"
"Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}"
"File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}"
"Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}"
"Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}"
"Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}"
"Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}"
"Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}"
"Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}"
"Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}"
"Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}"
"Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}"
"Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}"
"Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}"
"DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}"
"RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}"
"Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}"
"Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}"
"Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}"
"Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}"
"Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}"
"MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}"
"Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}"
"Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}"
"User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}"
"Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}"
"Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}"
"Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}"
"Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}"
"Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}"
"Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}"
"Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}"
"Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}"
"Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}"
"Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}"
"Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}"
"Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}"
"Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}"
}
if ($map.ContainsKey($Subcategory)) {
return $map[$Subcategory]
}
return ""
}
# Tests
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings.ps1
+12419
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions.ps1
+156
View File
@@ -0,0 +1,156 @@
[AuditTest] @{
Id = "235"
Task = "(ND, NE) Configure 'Accounts: Rename administrator account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "236"
Task = "(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "237"
Task = "(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. "
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "238"
Task = "(ND, NE) Configure 'Accounts: Rename guest account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "249"
Task = "(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "263"
Task = "(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights.ps1
+1479
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies.ps1
+1502
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings.ps1
+711
View File
@@ -0,0 +1,711 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\Firewall.ps1"
[AuditTest] @{
Id = "4.1.1"
Task = "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "CrashOnAuditFail" `
| Select-Object -ExpandProperty "CrashOnAuditFail"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.1.2"
Task = "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "SCENoApplyLegacyAuditPolicy" `
| Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.2.1.1"
Task = "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogFilePath"
$expectedValue = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log";
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.1.2"
Task = "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogFileSize"
$expectedValue = 16384;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.1.3"
Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogDroppedPackets"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.1.4"
Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogSuccessfulConnections"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.1"
Task = "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging"
$key = "LogFilePath"
$expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log";
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.2"
Task = "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
$key = "LogFileSize"
$expectedValue = 16384;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.3"
Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
$key = "LogDroppedPackets"
$expectedValue = 1;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.2.4"
Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
$key = "LogSuccessfulConnections"
$expectedValue = 1;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.1"
Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "AllowLocalPolicyMerge"
$expectedValue = 0;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.2"
Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "AllowLocalIPsecPolicyMerge"
$expectedValue = 0;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.3"
Task = "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
$key = "LogFilePath"
$expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log";
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.2.3.4"
Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
$key = "LogFileSize"
$expectedValue = 16384;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "4.3.1.1"
Task = "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" `
-Name "WarningLevel" `
| Select-Object -ExpandProperty "WarningLevel"
if (($regValue -gt 90)) {
return @{
Message = "Registry value is '$regValue'. Expected: x <= 90"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.1.1"
Task = "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 32768)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.1.2"
Task = "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.2.1"
Task = "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 32768)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.2.2"
Task = "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.3.1"
Task = "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 196608)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 196608"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.3.2"
Task = "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.4.1"
Task = "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if (($regValue -lt 32768)) {
return @{
Message = "Registry value is '$regValue'. Expected: x >= 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.2.4.2"
Task = "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" `
-Name "Retention" `
| Select-Object -ExpandProperty "Retention"
if ($regValue -ne "0") {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.3.1"
Task = "Ensure 'Include command line in process creation events' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
-Name "ProcessCreationIncludeCmdLine_Enabled" `
| Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.4.2"
Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name "EnableScriptBlockLogging" `
| Select-Object -ExpandProperty "EnableScriptBlockLogging"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.3.4.3"
Task = "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" `
-Name "EnableTranscripting" `
| Select-Object -ExpandProperty "EnableTranscripting"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies.ps1
+171
View File
@@ -0,0 +1,171 @@
[AuditTest] @{
Id = "200"
Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "201"
Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "202"
Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "203"
Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "204"
Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "205"
Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AuditPolicies.ps1
+77
View File
@@ -0,0 +1,77 @@
# Common
function Get-AuditPolicySubcategoryGUID {
Param(
[Parameter(Mandatory = $true)]
[AllowEmptyString()]
[string] $Subcategory
)
$map = @{
"Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}"
"Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}"
"System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}"
"IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}"
"Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}"
"Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}"
"Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}"
"Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}"
"IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}"
"IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}"
"IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}"
"Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}"
"Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}"
"Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}"
"User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}"
"Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}"
"File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}"
"Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}"
"Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}"
"SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}"
"Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}"
"Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}"
"Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}"
"File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}"
"Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}"
"Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}"
"Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}"
"Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}"
"Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}"
"Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}"
"Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}"
"Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}"
"Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}"
"Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}"
"Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}"
"DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}"
"RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}"
"Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}"
"Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}"
"Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}"
"Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}"
"Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}"
"MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}"
"Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}"
"Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}"
"User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}"
"Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}"
"Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}"
"Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}"
"Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}"
"Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}"
"Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}"
"Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}"
"Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}"
"Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}"
"Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}"
"Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}"
"Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}"
"Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}"
}
if ($map.ContainsKey($Subcategory)) {
return $map[$Subcategory]
}
return ""
}
# Tests
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings.ps1
+8320
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "235"
Task = "(ND, NE) Configure 'Accounts: Rename administrator account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "236"
Task = "(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "237"
Task = "(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. "
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "238"
Task = "(ND, NE) Configure 'Accounts: Rename guest account'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "263"
Task = "(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights.ps1
+1385
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings.ps1
+289
View File
@@ -0,0 +1,289 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$avstatus = CheckForActiveAV
$windefrunning = CheckWindefRunning
if((Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise Evaluation" -or
(Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise"){
[AuditTest] @{
Id = "3.1.1"
Task = "Configuration of the lowest possible telemetry-level (Enterprise Windows 10)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" `
-Name "AllowTelemetry" `
| Select-Object -ExpandProperty "AllowTelemetry"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
}
else{
[AuditTest] @{
Id = "3.1.1"
Task = "Configuration of the lowest possible telemetry-level (Non-Enterprise Windows 10)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" `
-Name "AllowTelemetry" `
| Select-Object -ExpandProperty "AllowTelemetry"
$saferClients = @("*Server*","*Education*","*Enterprise*")
$productname = Get-ComputerInfo | select -ExpandProperty OsName
if (($productname -notcontains $saferClients) -and ($regValue -eq 1)){
return @{
Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'."
Status = "Warning"
}
}
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
}
[AuditTest] @{
Id = "3.1.2 A"
Task = "Deactivation of the telemetry service and ETW-sessions - disable service DiagTrack"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.2 B"
Task = "Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diagtrack-Listener"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.3 A"
Task = "Deactivation of telemetry according to Microsoft - Disable Windows Update Service"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.3 B"
Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPS"
Test = {
try {
if($avstatus){
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "SpynetReporting" `
| Select-Object -ExpandProperty "SpynetReporting"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1.3 C"
Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample files"
Test = {
try {
if($avstatus){
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "SubmitSamplesConsent" `
| Select-Object -ExpandProperty "SubmitSamplesConsent"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AccountPolicies.ps1
+199
View File
@@ -0,0 +1,199 @@
[AuditTest] @{
Id = "Medium-001"
Task = "Ensure 'Account lockout duration' is set to 0"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-002"
Task = "Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-003"
Task = " Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -ne 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x == 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-146"
Task = "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-147"
Task = "Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-148"
Task = "Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-149"
Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AuditPolicies.ps1
+1217
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#RegistrySettings.ps1
+12743
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#SecurityOptions.ps1
+110
View File
@@ -0,0 +1,110 @@
[AuditTest] @{
Id = "High-032"
Task = "Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-005"
Task = "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-069"
Task = "Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Medium-208"
Task = "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#UserRights.ps1
+926
View File
@@ -0,0 +1,926 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "Medium-013"
Task = "Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-014"
Task = "Ensure 'Deny access to this computer from the network' is set to 'NT AUTHORITY\Local Account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-040"
Task = "Ensure 'Manage auditing and security log' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-171"
Task = "Ensure 'Deny log on through Remote Desktop Services' is set to 'Administrators, NT AUTHORITY\Local Account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-185"
Task = "Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-232"
Task = "Ensure 'Back up files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-233"
Task = "Ensure 'Restore files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-234"
Task = "Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-235"
Task = "Ensure 'Act as part of the operating system' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-236"
Task = "Ensure 'Allow log on locally' is set to 'Administrators, Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-545"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-240"
Task = "Ensure 'Create a pagefile' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-241"
Task = "Ensure 'Create a token object' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-242"
Task = "Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-19"
"S-1-5-20"
"S-1-5-6"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-243"
Task = "Ensure 'Create permanent shared objects' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-244"
Task = "Ensure 'Debug programs' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-245"
Task = "Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-246"
Task = "Ensure 'Force shutdown from a remote system' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-247"
Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-19"
"S-1-5-20"
"S-1-5-6"
"S-1-5-32-568"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-248"
Task = "Ensure 'Load and unload device drivers' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-249"
Task = "Ensure 'Lock pages in memory' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-250"
Task = "Ensure 'Modify firmware environment values' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-251"
Task = "Ensure 'Perform volume maintenance tasks' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-252"
Task = "Ensure 'Profile single process' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "Medium-253"
Task = "Ensure 'Take ownership of files or other objects' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AccountPolicies.ps1
+283
View File
@@ -0,0 +1,283 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 365 -or $setPolicy -le 0) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#RegistrySettings.ps1
+17452
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#UserRights.ps1
+1488
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-63405"
Task = "Windows 10 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63409"
Task = "The number of allowed bad logon attempts must be configured to 3 or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63413"
Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63415"
Task = "The password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63419"
Task = "The maximum password age must be configured to 60 days or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63421"
Task = "The minimum password age must be configured to at least 1 day."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63423"
Task = "Passwords must, at a minimum, be 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63427"
Task = "The built-in Microsoft password complexity filter must be enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63429"
Task = "Reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AuditPolicies.ps1
+1559
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#RegistrySettings.ps1
+4142
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "V-63601"
Task = "The built-in administrator account must be disabled."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableAdminAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63611"
Task = "The built-in guest account must be disabled."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63619"
Task = "The built-in administrator account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63625"
Task = "The built-in guest account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-63739"
Task = "Anonymous SID/Name translation must not be allowed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#UserRights.ps1
+956
View File
@@ -0,0 +1,956 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$hyperVStatus = CheckHyperVStatus
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") {
return @{
Account = $null
Sid = $sidAccount.Value
}
} else {
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "V-63843"
Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63845"
Task = "The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"Administrators"
"Remote Desktop Users"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63847"
Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63851"
Task = "The Allow log on locally user right must only be assigned to the Administrators and Users groups."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"Administrators"
"Users"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63853"
Task = "The Back up files and directories user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63857"
Task = "The Create a pagefile user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63859"
Task = "The Create a token object user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63861"
Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"Administrators"
"LOCAL SERVICE"
"NETWORK SERVICE"
"SERVICE"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63863"
Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63865"
Task = "The Create symbolic links user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63869"
Task = "The Debug programs user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63871"
Task = "The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"Guests"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63877"
Task = "The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"]
$identityAccounts = @(
"Enterprise Admins"
"Domain Admins"
"Guests"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63879"
Task = "The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"Enterprise Admins"
"Domain Admins"
"Local account"
"Guests"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63881"
Task = "The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63883"
Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63889"
Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"Administrators"
"LOCAL SERVICE"
"NETWORK SERVICE"
"SERVICE"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63917"
Task = "The Load and unload device drivers user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63925"
Task = "The Lock pages in memory user right must not be assigned to any groups or accounts."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63927"
Task = "The Manage auditing and security log user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63931"
Task = "The Modify firmware environment values user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63933"
Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63935"
Task = "The Profile single process user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63939"
Task = "The Restore files and directories user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "V-63941"
Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"Administrators"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AccountPolicies.ps1
+196
View File
@@ -0,0 +1,196 @@
[AuditTest] @{
Id = "AccountPolicy-216"
Task = "Ensure 'MinimumPasswordLength' is set to '14'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-217"
Task = "Ensure 'PasswordComplexity' is set to '1'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-218"
Task = "Ensure 'PasswordHistorySize' is set to '24'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-219"
Task = "Ensure 'LockoutBadCount' is set to '10'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 10 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-220"
Task = "Ensure 'ResetLockoutCount' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-221"
Task = "Ensure 'LockoutDuration' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-222"
Task = "Ensure 'ClearTextPassword' is set to '0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AuditPolicies.ps1
+1388
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#RegistrySettings.ps1
+10968
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#SecurityOptions.ps1
+26
View File
@@ -0,0 +1,26 @@
[AuditTest] @{
Id = "SecurityOption-169"
Task = "Ensure 'LSAAnonymousNameLookup' is set to '0'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#UserRights.ps1
+882
View File
@@ -0,0 +1,882 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$hyperVStatus = CheckHyperVStatus
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") {
return @{
Account = $null
Sid = $sidAccount.Value
}
} else {
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "UserRight-170"
Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-171"
Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-172"
Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-173"
Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-174"
Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($missingUsers.Count -gt 0)) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-175"
Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-176"
Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-177"
Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-178"
Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-179"
Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if ($missingUsers.Count -gt 0) {
$messages = @()
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-180"
Task = "Ensure 'Access this computer from the network' is set to 'Administrator, Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-181"
Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-6"
"S-1-5-19"
"S-1-5-20"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-182"
Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-183"
Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-6"
"S-1-5-19"
"S-1-5-20"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-184"
Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-185"
Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-186"
Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-545"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-187"
Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-188"
Task = "Ensure 'Debug programs' is set to 'Administrators'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
if ($unexpectedUsers.Count -gt 0) {
$messages = @()
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
#No UserRights on System comparing to publisher recommendation
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
return @{
Status = "True"
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
}
}
#Less UserRights on System comparing to publisher recommendation
if($currentUserRights.Count -lt $identityAccounts.Count){
$users = ""
foreach($currentUser in $currentUserRights){
$users += $currentUser.Values
}
return @{
Status = "True"
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
}
}
#Same UserRights on System comparing to publisher recommendation
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-189"
Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-190"
Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-191"
Task = "Ensure 'SeTcbPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-192"
Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 5 -or $setPolicy -le 0) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#RegistrySettings.ps1
+16305
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#UserRights.ps1
+1312
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AccountPolicies.ps1
+284
View File
@@ -0,0 +1,284 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if ($setPolicy -eq -1) {
#Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#RegistrySettings.ps1
+18823
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.1"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.3"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected any other name than 'Administrator'"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected any other name than 'Guest' or 'Gast'"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#UserRights.ps1
+1509
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AccountPolicies.ps1
+196
View File
@@ -0,0 +1,196 @@
[AuditTest] @{
Id = "AccountPolicy-361"
Task = "Ensure 'MinimumPasswordLength' is set to '14' character(s)."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-362"
Task = "The built-in Windows password complexity policy must be enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-363"
Task = "The password history must be configured to 24 passwords remembered"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-364"
Task = "Ensure 'LockoutBadCount' is set to '10' invalid logon attempt(s)"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-365"
Task = "Ensure 'Reset account lockout counter after' is set to '10 minutes'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 10 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-366"
Task = "Ensure 'LockoutDuration' is set to '10 minutes'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 10 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-367"
Task = "Reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AuditPolicies.ps1
+1388
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#RegistrySettings.ps1
+12011
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#SecurityOptions.ps1
+26
View File
@@ -0,0 +1,26 @@
[AuditTest] @{
Id = "SecurityOption-142"
Task = "Anonymous SID/Name translation must not be allowed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#UserRights.ps1
+875
View File
@@ -0,0 +1,875 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "UserRight-143"
Task = "Ensure 'Manage auditing and security log' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-144"
Task = "Ensure 'Restore files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-145"
Task = "Ensure 'Take ownership of files or other objects' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-146"
Task = "Ensure 'Back up files and directories' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-147"
Task = "Ensure 'Deny log on through Remote Desktop Services' to include 'Local account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-148"
Task = "Ensure 'Create permanent shared objects' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-149"
Task = "Ensure 'Perform volume maintenance tasks' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-150"
Task = "Ensure 'Load and unload device drivers' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-151"
Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-152"
Task = "Ensure 'Deny access to this computer from the network' is set to 'Local account'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-113"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-153"
Task = "Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-555"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-154"
Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed]"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
$identityAccounts = @(
"S-1-5-19"
"S-1-5-20"
"S-1-5-32-544"
"S-1-5-6"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-155"
Task = "Ensure 'Create a token object' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-156"
Task = "Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
$identityAccounts = @(
"S-1-5-19"
"S-1-5-20"
"S-1-5-32-544"
"S-1-5-6"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-157"
Task = "Ensure 'Modify firmware environment values' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-158"
Task = "The Create a pagefile user right must only be assigned to the Administrators group."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-159"
Task = "Ensure 'Allow log on locally' is set to 'Administrators, Users'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
$identityAccounts = @(
"S-1-5-32-544"
"S-1-5-32-545"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-160"
Task = "Ensure 'Force shutdown from a remote system' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-161"
Task = "Ensure 'Debug programs' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-162"
Task = "Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-163"
Task = "Ensure 'Profile single process' is set to 'Administrators'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-164"
Task = "Ensure 'Act as part of the operating system' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
[AuditTest] @{
Id = "UserRight-165"
Task = "Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AuditPolicies.ps1
+1616
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#RegistrySettings.ps1
+16049
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#SecurityOptions.ps1
+130
View File
@@ -0,0 +1,130 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#UserRights.ps1
+1311
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 10 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AuditPolicies.ps1
+1388
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#RegistrySettings.ps1
+10042
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings.ps1
+144
View File
@@ -0,0 +1,144 @@
[AuditTest] @{
Id = "2.0"
Task = "Ensure 'Enable DCOM Hardening' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RequireIntegrityActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RequireIntegrityActivationAuthenticationLevel"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.1"
Task = "Ensure 'Raise Authentication Level' is set to 'Raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" `
-Name "RaiseActivationAuthenticationLevel" `
| Select-Object -ExpandProperty "RaiseActivationAuthenticationLevel"
if (($regValue -ne 2)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.0"
Task = "IPv6 Configuration Policy: Prefer IPv4 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0x20 (32)')"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" `
-Name "DisabledComponents" `
| Select-Object -ExpandProperty "DisabledComponents"
if (($regValue -ne 32)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 32"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.0"
Task = "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "ConsentPromptBehaviorUser" `
| Select-Object -ExpandProperty "ConsentPromptBehaviorUser"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights.ps1
+102
View File
@@ -0,0 +1,102 @@
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
[AuditTest] @{
Id = "1.0"
Task = "Ensure 'Debug programs' is set to 'No One'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
$identityAccounts = @(
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AccountPolicies.ps1
+255
View File
@@ -0,0 +1,255 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 365 -or $setPolicy -le 0) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0 "
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15 -or $setPolicy -gt 99999) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 and x <= 99999"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 99999 -or $setPolicy -lt 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 and x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AuditPolicies.ps1
+1922
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#RegistrySettings.ps1
+12455
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#SecurityOptions.ps1
+133
View File
@@ -0,0 +1,133 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#UserRights.ps1
+1937
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-1097"
Task = "The number of allowed bad logon attempts must meet minimum requirements."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1098"
Task = "The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1099"
Task = "Windows 2012 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1104"
Task = "The maximum password age must meet requirements."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1105"
Task = "The minimum password age must meet requirements."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -eq 0)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1107"
Task = "The password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-1150"
Task = "The built-in Windows password complexity policy must be enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-2372"
Task = "Reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-6836"
Task = "Passwords must, at a minimum, be 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AuditPolicies.ps1
+1217
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#RegistrySettings.ps1
+6330
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AccountPolicies.ps1
+283
View File
@@ -0,0 +1,283 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AuditPolicies.ps1
+2036
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#RegistrySettings.ps1
+12380
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#SecurityOptions.ps1
+133
View File
@@ -0,0 +1,133 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#UserRights.ps1
+1984
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-1.12#UserRights.ps1
+71
View File
@@ -0,0 +1,71 @@
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$hyperVStatus = CheckHyperVStatus
# Common
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Convert Domaingroups to german
$language = Get-UICulture
if ($language.Name -match "de-DE"){
if ($name -eq "Enterprise Admins"){
$name = "Organisations-Admins"
}
elseif ($name -eq "Domain Admins"){
$name = "Domänen-Admins"
}
}
# Convert friendlynames to SID
$map = @{
"Administrators" = "S-1-5-32-544"
"Guests" = "S-1-5-32-546"
"Local account" = "S-1-5-113"
"Local Service" = "S-1-5-19"
"Network Service" = "S-1-5-20"
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
"Remote Desktop Users" = "S-1-5-32-555"
"Service" = "S-1-5-6"
"Users" = "S-1-5-32-545"
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
}
if ($map.ContainsKey($name)) {
$name = $map[$name]
}
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch {
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
# Tests
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "V-73309"
Task = "Windows 2016 account lockout duration must be configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73311"
Task = "Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 3 -or $setPolicy -eq 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73313"
Task = "Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73315"
Task = "Windows Server 2016 password history must be configured to 24 passwords remembered."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73317"
Task = "Windows Server 2016 maximum password age must be configured to 60 days or less."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 60 -or $setPolicy -eq 0)) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73319"
Task = "Windows Server 2016 minimum password age must be configured to at least one day."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -eq 0)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73321"
Task = "Windows Server 2016 minimum password length must be configured to 14 characters."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73323"
Task = "Windows Server 2016 must have the built-in Windows password complexity policy enabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73325"
Task = "Windows Server 2016 reversible password encryption must be disabled."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AuditPolicies.ps1
+1502
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#RegistrySettings.ps1
+3437
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#SecurityOptions.ps1
+104
View File
@@ -0,0 +1,104 @@
[AuditTest] @{
Id = "V-73623"
Task = "Windows Server 2016 built-in administrator account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73625"
Task = "Windows Server 2016 built-in guest account must be renamed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73665"
Task = "Anonymous SID/Name translation must not be allowed."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "V-73809"
Task = "Windows Server 2016 built-in guest account must be disabled."
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AccountPolicies.ps1
+252
View File
@@ -0,0 +1,252 @@
[AuditTest] @{
Id = "AccountPolicy-001"
Task = "Ensure 'MinimumPasswordAge' is set to '1'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-002"
Task = "Ensure 'MaximumPasswordAge' is set to '60'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 60) {
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: 60"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-003"
Task = "Ensure 'MinimumPasswordLength' is set to '14'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-004"
Task = "Ensure 'PasswordComplexity' is set to '1'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-005"
Task = "Ensure 'PasswordHistorySize' is set to '24'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-006"
Task = "Ensure 'LockoutBadCount' is set to '10'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 10) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-007"
Task = "Ensure 'ResetLockoutCount' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-008"
Task = "Ensure 'LockoutDuration' is set to '15'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 15) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "AccountPolicy-009"
Task = "Ensure 'ClearTextPassword' is set to '0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AuditPolicies.ps1
+1274
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#RegistrySettings.ps1
+3658
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#UserRights.ps1
+1031
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AccountPolicies.ps1
+283
View File
@@ -0,0 +1,283 @@
[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 1) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 14) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -lt 15 -or $setPolicy -gt 99999) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 5 -or $setPolicy -le 0) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -gt 99999 -or $setPolicy -lt 15) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AuditPolicies.ps1
+2036
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#RegistrySettings.ps1
+12919
View File
File diff suppressed because it is too large Load Diff
ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#SecurityOptions.ps1
+133
View File
@@ -0,0 +1,133 @@
[AuditTest] @{
Id = "2.3.1.2"
Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["EnableGuestAccount"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.4"
Task = "(L1) Configure 'Accounts: Rename administrator account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewAdministratorName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") {
return @{
Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1.5"
Task = "(L1) Configure 'Accounts: Rename guest account'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["NewGuestName"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") {
return @{
Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.10.1"
Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["LSAAnonymousNameLookup"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 0) {
return @{
Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.6"
Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
Test = {
$securityOption = Get-AuditResource "WindowsSecurityPolicy"
$setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"]
if ($null -eq $setOption) {
return @{
Message = "Currently not set."
Status = "False"
}
}
if ($setOption -ne 1) {
return @{
Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}

Some files were not shown because too many files have changed in this diff Show More