$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent $RootPath = Split-Path $RootPath -Parent . "$RootPath\Helpers\Firewall.ps1" [AuditTest] @{ Id = "4.1.1" Task = "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` -Name "CrashOnAuditFail" ` | Select-Object -ExpandProperty "CrashOnAuditFail" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.1.2" Task = "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` -Name "SCENoApplyLegacyAuditPolicy" ` | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.2.1.1" Task = "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} ) Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" $key = "LogFilePath" $expectedValue = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log"; $profileType = "Domain" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.1.2" Task = "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} ) Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" $key = "LogFileSize" $expectedValue = 16384; $profileType = "Domain" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.1.3" Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} ) Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" $key = "LogDroppedPackets" $expectedValue = 1; $profileType = "Domain" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.1.4" Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} ) Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" $key = "LogSuccessfulConnections" $expectedValue = 1; $profileType = "Domain" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.2.1" Task = "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging" $key = "LogFilePath" $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; $profileType = "Private" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.2.2" Task = "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" $key = "LogFileSize" $expectedValue = 16384; $profileType = "Private" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.2.3" Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" $key = "LogDroppedPackets" $expectedValue = 1; $profileType = "Private" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.2.4" Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" $key = "LogSuccessfulConnections" $expectedValue = 1; $profileType = "Private" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.3.1" Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" $key = "AllowLocalPolicyMerge" $expectedValue = 0; $profileType = "Public" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.3.2" Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" $key = "AllowLocalIPsecPolicyMerge" $expectedValue = 0; $profileType = "Public" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.3.3" Task = "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" $key = "LogFilePath" $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; $profileType = "Public" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.2.3.4" Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" $key = "LogFileSize" $expectedValue = 16384; $profileType = "Public" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "4.3.1.1" Task = "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` -Name "WarningLevel" ` | Select-Object -ExpandProperty "WarningLevel" if (($regValue -gt 90)) { return @{ Message = "Registry value is '$regValue'. Expected: x <= 90" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.1.1" Task = "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` -Name "MaxSize" ` | Select-Object -ExpandProperty "MaxSize" if (($regValue -lt 32768)) { return @{ Message = "Registry value is '$regValue'. Expected: x >= 32768" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.1.2" Task = "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` -Name "Retention" ` | Select-Object -ExpandProperty "Retention" if ($regValue -ne "0") { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.2.1" Task = "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` -Name "MaxSize" ` | Select-Object -ExpandProperty "MaxSize" if (($regValue -lt 32768)) { return @{ Message = "Registry value is '$regValue'. Expected: x >= 32768" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.2.2" Task = "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` -Name "Retention" ` | Select-Object -ExpandProperty "Retention" if ($regValue -ne "0") { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.3.1" Task = "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` -Name "MaxSize" ` | Select-Object -ExpandProperty "MaxSize" if (($regValue -lt 196608)) { return @{ Message = "Registry value is '$regValue'. Expected: x >= 196608" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.3.2" Task = "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` -Name "Retention" ` | Select-Object -ExpandProperty "Retention" if ($regValue -ne "0") { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.4.1" Task = "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` -Name "MaxSize" ` | Select-Object -ExpandProperty "MaxSize" if (($regValue -lt 32768)) { return @{ Message = "Registry value is '$regValue'. Expected: x >= 32768" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.2.4.2" Task = "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` -Name "Retention" ` | Select-Object -ExpandProperty "Retention" if ($regValue -ne "0") { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.3.1" Task = "Ensure 'Include command line in process creation events' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` -Name "ProcessCreationIncludeCmdLine_Enabled" ` | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.4.2" Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` -Name "EnableScriptBlockLogging" ` | Select-Object -ExpandProperty "EnableScriptBlockLogging" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.3.4.3" Task = "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` -Name "EnableTranscripting" ` | Select-Object -ExpandProperty "EnableTranscripting" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } }