[AuditTest] @{ Id = "1.1.1" Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if ($setPolicy -ne 24) { return @{ Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.2" Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if (($setPolicy -gt 365 -or $setPolicy -le 0)) { if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy $setPolicy = "Password never expires" } return @{ Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.3" Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if (($setPolicy -lt 1)) { return @{ Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.4" Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if (($setPolicy -lt 14)) { return @{ Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.5" Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if ($setPolicy -ne 1) { return @{ Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.1.7" Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if ($setPolicy -ne 0) { return @{ Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.1" Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["LockoutDuration"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) { return @{ Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.2" Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if (($setPolicy -gt 5 -or $setPolicy -le 0)) { return @{ Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } } [AuditTest] @{ Id = "1.2.4" Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] if ($null -eq $setPolicy) { return @{ Message = "Currently not set." Status = "False" } } $setPolicy = [long]$setPolicy if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) { return @{ Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes" Status = "False" } } return @{ Message = "Compliant" Status = "True" } } }