$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent $RootPath = Split-Path $RootPath -Parent . "$RootPath\Helpers\AuditGroupFunctions.ps1" $hyperVStatus = CheckHyperVStatus # Common function ConvertTo-NTAccountUser { [CmdletBinding()] [OutputType([hashtable])] Param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Name ) process { try { # Convert Domaingroups to german $language = Get-UICulture if ($language.Name -match "de-DE"){ if ($name -eq "Enterprise Admins"){ $name = "Organisations-Admins" } elseif ($name -eq "Domain Admins"){ $name = "Domänen-Admins" } } # Convert friendlynames to SID $map = @{ "Administrators" = "S-1-5-32-544" "Guests" = "S-1-5-32-546" "Local account" = "S-1-5-113" "Local Service" = "S-1-5-19" "Network Service" = "S-1-5-20" "NT AUTHORITY\Authenticated Users" = "S-1-5-11" "Remote Desktop Users" = "S-1-5-32-555" "Service" = "S-1-5-6" "Users" = "S-1-5-32-545" "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" } if ($map.ContainsKey($name)) { $name = $map[$name] } # Identity doesn't exist on when Hyper-V isn't installed if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { return $null } Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" if ($Name -match "^(S-[0-9-]{3,})") { $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name } else { $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) } if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { return @{ Account = $null Sid = $sidAccount.Value } } else { return @{ Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) Sid = $sidAccount.Value } } } catch { return @{ Account = "Orphaned Account" Sid = $Name } } } } # Tests [AuditTest] @{ Id = "UserRight-001" Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-002" Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] $identityAccounts = @( ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-003" Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] $identityAccounts = @( ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-004" Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-005" Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-006" Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-007" Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-008" Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] $identityAccounts = @( "S-1-5-32-544" "S-1-5-6" "S-1-5-19" "S-1-5-20" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-009" Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-010" Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-011" Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] $identityAccounts = @( ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-012" Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] $identityAccounts = @( ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-013" Task = "Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } if ($unexpectedUsers.Count -gt 0) { $messages = @() $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } #No UserRights on System comparing to publisher recommendation if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ return @{ Status = "True" Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." } } #Less UserRights on System comparing to publisher recommendation if($currentUserRights.Count -lt $identityAccounts.Count){ $users = "" foreach($currentUser in $currentUserRights){ $users += $currentUser.Values } return @{ Status = "True" Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" } } #Same UserRights on System comparing to publisher recommendation return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-014" Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-015" Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-016" Task = "Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-11'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] $identityAccounts = @( "S-1-5-32-544" "S-1-5-11" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-017" Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-114'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "MemberServer" } ) Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] $identityAccounts = @( "S-1-5-114" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($missingUsers.Count -gt 0)) { $messages = @() if ($missingUsers.Count -gt 0) { $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-018" Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] $identityAccounts = @( "S-1-5-32-544" "S-1-5-6" "S-1-5-19" "S-1-5-20" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-019" Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-020" Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] $identityAccounts = @( ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-021" Task = "Ensure 'SeTcbPrivilege' is set to 'No One'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] $identityAccounts = @( ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-022" Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'" Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] $identityAccounts = @( "S-1-5-32-544" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { $messages = @() if ($unexpectedUsers.Count -gt 0) { $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") } if ($missingUsers.Count -gt 0) { $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } } [AuditTest] @{ Id = "UserRight-023" Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'" Constraints = @( @{ "Property" = "DomainRole"; "Values" = "MemberServer" } ) Test = { $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] $identityAccounts = @( "S-1-5-113" ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } if (($missingUsers.Count -gt 0)) { $messages = @() if ($missingUsers.Count -gt 0) { $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") } $message = $messages -join [System.Environment]::NewLine return @{ Status = "False" Message = $message } } return @{ Status = "True" Message = "Compliant" } } }