$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent $RootPath = Split-Path $RootPath -Parent . "$RootPath\Helpers\AuditGroupFunctions.ps1" $windefrunning = CheckWindefRunning . "$RootPath\Helpers\Firewall.ps1" $domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole $listOfWeakCipherSuites = getListOfWeakCipherSuites $listOfInsecureCipherSuites = getListOfInsecureCipherSuites [AuditTest] @{ Id = "1.1.7" Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if ($setPolicy -ne 0) { return @{ Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } if ($domainRole -eq 3) { [AuditTest] @{ Id = "2.2.38" Task = "Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Server" } ) Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } } if ($domainRole -ge 4) { [AuditTest] @{ Id = "2.3.5.2" Task = "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } ) Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` -Name "LDAPServerIntegrity" ` | Select-Object -ExpandProperty "LDAPServerIntegrity" if ($regValue -ne 2) { return @{ Message = "Registry value is '$regValue'. Expected: 2" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } } [AuditTest] @{ Id = "2.3.11.4" Task = "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` -Name "SupportedEncryptionTypes" ` | Select-Object -ExpandProperty "SupportedEncryptionTypes" if (($regValue -ne 2147483644) -and ($regValue -ne 2147483640)) { return @{ Message = "Registry value is '$regValue'. Expected: x == 2147483644 or x == 2147483640" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.3.11.5" Task = "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` -Name "NoLMHash" ` | Select-Object -ExpandProperty "NoLMHash" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "9.1.7" Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } ) Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" $key = "LogDroppedPackets" $expectedValue = 1; $profileType = "Domain" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "9.1.8" Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } ) Test = { $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" $key = "LogSuccessfulConnections" $expectedValue = 1; $profileType = "Domain" $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType return @{ Message = $($result.Message) Status = $($result.Status) } } } [AuditTest] @{ Id = "18.3.3" Task = "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` -Name "Start" ` | Select-Object -ExpandProperty "Start" if ($regValue -ne 4) { return @{ Message = "Registry value is '$regValue'. Expected: 4" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.3.3" Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` -Name "SMB1" ` | Select-Object -ExpandProperty "SMB1" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.3.6" Task = "Ensure 'WDigest Authentication' is set to 'Disabled'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` -Name "UseLogonCredential" ` | Select-Object -ExpandProperty "UseLogonCredential" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.6.2" Task = "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` -Name "NoWarningNoElevationOnInstall" ` | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.6.3" Task = "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` -Name "UpdatePromptSettings" ` | Select-Object -ExpandProperty "UpdatePromptSettings" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.9.2" Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` -Name "DisableRealtimeMonitoring" ` | Select-Object -ExpandProperty "DisableRealtimeMonitoring" if ($regValue -eq 1) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 A" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 B" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "3b576869-a4ec-4529-8536-b80a7769e899" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 C" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 D" Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configured" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 E" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 F" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 G" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 H" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 I" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 J" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 K" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.47.5.1.2 L" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.10.43.6.1.2 M" Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block abuse of exploited vulnerable signed drivers)" Test = { try { if ((-not $windefrunning)) { return @{ Message = "This rule requires Windows Defender Antivirus to be enabled." Status = "None" } } $regValue = 0; $regValueTwo = 0; $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" $asrTest1 = Test-ASRRules -Path $Path -Value $Value if ($asrTest1) { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path $Path ` -Name $Value ` | Select-Object -ExpandProperty $Value } $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 if ($asrTest2) { $regValueTwo = Get-ItemProperty -ErrorAction Stop ` -Path $Path2 ` -Name $Value2 ` | Select-Object -ExpandProperty $Value2 } if ($regValue -ne 1 -and $regValueTwo -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.58.3.10.1" Task = "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` -Name "MaxIdleTime" ` | Select-Object -ExpandProperty "MaxIdleTime" if (($regValue -gt 900000 -or $regValue -eq 0)) { return @{ Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "18.9.58.3.10.2" Task = "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` -Name "MaxDisconnectionTime" ` | Select-Object -ExpandProperty "MaxDisconnectionTime" if ($regValue -ne 60000) { return @{ Message = "Registry value is '$regValue'. Expected: 60000" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.1" Task = "Disable SSLv2 Protocol (Server)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.2" Task = "Disable SSLv2 Protocol (Server DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.3" Task = "Disable SSLv2 Protocol (Client)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.4" Task = "Disable SSLv2 Protocol (Client DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.1" Task = "Disable SSLv3 Protocol (Server)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.2" Task = "Disable SSLv3 Protocol (Server DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.3" Task = "Disable SSLv3 Protocol (Client)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.4" Task = "Disable SSLv3 Protocol (Client DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.3.1" Task = "Disable TLS1.0 Protocol (Server)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.3.2" Task = "Disable TLS1.0 Protocol (Server DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.3.3" Task = "Disable TLS1.0 Protocol (Client)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.3.4" Task = "Disable TLS1.0 Protocol (Client DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.4.1" Task = "Disable TLS1.1 Protocol (Server)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.4.2" Task = "Disable TLS1.1 Protocol (Server DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.4.3" Task = "Disable TLS1.1 Protocol (Client)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.4.4" Task = "Disable TLS1.1 Protocol (Client DisabledByDefault)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.5.1" Task = "Enable TLS1.2 Protocol (Server)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.5.2" Task = "Enable TLS1.2 Protocol (Server Default)" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` -Name "DisabledByDefault" ` | Select-Object -ExpandProperty "DisabledByDefault" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.1" Task = "Disable NULL Cipher" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.2" Task = "Disable DES Cipher Suite" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.3.1" Task = "Disable RC4 Cipher Suite - 40/128" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.3.2" Task = "Disable RC4 Cipher Suite - 56/128" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.3.3" Task = "Disable RC4 Cipher Suite - 64/128" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.3.4" Task = "Disable RC4 Cipher Suite - 128/128" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.4" Task = "Disable AES 128/128 Cipher Suite" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.5" Task = "Enable AES 256/256 Cipher Suite" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -eq 4294967295) { return @{ Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + ''` + 'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' Status = "False" } } if ($regValue -ne 1) { return @{ Message = "Registry value is '$regValue'. Expected: 1" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "2.6" Task = "Disable Triple DES Cipher Suite" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "3.1" Task = "Disable SHA-1 hash" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "3.2" Task = "Disable MD5 hash" Test = { try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" ` -Name "Enabled" ` | Select-Object -ExpandProperty "Enabled" if ($regValue -ne 0) { return @{ Message = "Registry value is '$regValue'. Expected: 0" Status = "False" } } } catch [System.Management.Automation.PSArgumentException] { return @{ Message = "Registry value not found." Status = "False" } } catch [System.Management.Automation.ItemNotFoundException] { return @{ Message = "Registry key not found." Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "4.1" Task = "Configure Cipher Suite Ordering" Test = { #check if correct type $typeTable = @{ "String" = "String Value" "Byte" = "Byte Value" "Int32" = "DWORD (32-bit) Value" "Int64" = "QWORD (64-bit) Value" "String[]" = "Multi-String Value" } #Default status $status = "Error" #Output $verbInsecure = "rules have" $verbWeak = "rules have" try { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" ` -Name "Functions" $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" $res = $regValue.Functions.GetType().Name $currentType = $typeTable[$res] if ($res -ne [String]) { return @{ Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'" Status = "False" } } #check if insecure or weak cipher is inside value $regValues = $regValue.Split(',') $regValues = $regValues -replace ' ', '' $weakRulesFound = @() $insecureRulesFound = @() foreach ($element in $regValues) { if ($listOfWeakCipherSuites.Contains($element)) { $weakRulesFound += $element } if ($listOfInsecureCipherSuites.Contains($element)) { $insecureRulesFound += $element } } if ($insecureRulesFound.Count -eq 1) { $verbInsecure = "rule has" } if ($weakRulesFound.Count -eq 1) { $verbWeak = "rule has" } $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" #Preparing message foreach ($member in $weakRulesFound) { $status = "Warning" $weakMessage += "$($member)
" } foreach ($member in $insecureRulesFound) { $status = "False" $insecureMessage += "$($member)
" } #Combine or shorten message if ($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0) { $message = "" if ($weakRulesFound.Count -eq 0) { $weakMessage = "" } if ($insecureRulesFound.Count -eq 0) { $insecureMessage = "" } $message = $insecureMessage + $weakMessage return @{ Message = $message Status = $status } } } catch { $regValue = Get-ItemProperty -ErrorAction Stop ` -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" ` -Name "Functions" $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" $res = $regValue.Functions.GetType().Name $currentType = $typeTable[$res] if ($res -ne [String[]]) { return @{ Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'" Status = "False" } } #check if insecure or weak cipher is inside value $regValues = $regValue -replace ' ', '' $weakRulesFound = @() $insecureRulesFound = @() foreach ($element in $regValues) { if ($listOfWeakCipherSuites.Contains($element)) { $weakRulesFound += $element } if ($listOfInsecureCipherSuites.Contains($element)) { $insecureRulesFound += $element } } if ($insecureRulesFound.Count -eq 1) { $verbInsecure = "rule has" } if ($weakRulesFound.Count -eq 1) { $verbWeak = "rule has" } $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" #Preparing message foreach ($member in $weakRulesFound) { $status = "Warning" $weakMessage += "$($member)
" } foreach ($member in $insecureRulesFound) { $status = "False" $insecureMessage += "$($member)
" } #Combine or shorten message if ($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0) { $message = "" if ($weakRulesFound.Count -eq 0) { $weakMessage = "" } if ($insecureRulesFound.Count -eq 0) { $insecureMessage = "" } $message = $insecureMessage + $weakMessage return @{ Message = $message Status = $status } } } return @{ Message = "Compliant" Status = "True" } } }