$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$windefrunning = CheckWindefRunning
. "$RootPath\Helpers\Firewall.ps1"
[AuditTest] @{
Id = "Registry-001"
Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" `
-Name "RunThisTimeEnabled" `
| Select-Object -ExpandProperty "RunThisTimeEnabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-002"
Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" `
-Name "VersionCheckEnabled" `
| Select-Object -ExpandProperty "VersionCheckEnabled"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-003"
Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" `
-Name "RunInvalidSignatures" `
| Select-Object -ExpandProperty "RunInvalidSignatures"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-004"
Task = "Set registry value 'CheckExeSignatures' to yes."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" `
-Name "CheckExeSignatures" `
| Select-Object -ExpandProperty "CheckExeSignatures"
if ($regValue -ne "yes") {
return @{
Message = "Registry value is '$regValue'. Expected: yes"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-005"
Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" `
-Name "Isolation64Bit" `
| Select-Object -ExpandProperty "Isolation64Bit"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-006"
Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" `
-Name "DisableEPMCompat" `
| Select-Object -ExpandProperty "DisableEPMCompat"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-007"
Task = "Set registry value 'Isolation' to PMEM."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" `
-Name "Isolation" `
| Select-Object -ExpandProperty "Isolation"
if ($regValue -ne "PMEM") {
return @{
Message = "Registry value is '$regValue'. Expected: PMEM"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-008"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-009"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-010"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-011"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-012"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-013"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-014"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-015"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-016"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-017"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-018"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-019"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-020"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-021"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-022"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-023"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-024"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-025"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-026"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-027"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-028"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-029"
Task = "Set registry value '(Reserved)' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" `
-Name "(Reserved)" `
| Select-Object -ExpandProperty "(Reserved)"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-030"
Task = "Set registry value 'explorer.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" `
-Name "explorer.exe" `
| Select-Object -ExpandProperty "explorer.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-031"
Task = "Set registry value 'iexplore.exe' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" `
-Name "iexplore.exe" `
| Select-Object -ExpandProperty "iexplore.exe"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-032"
Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" `
-Name "PreventOverrideAppRepUnknown" `
| Select-Object -ExpandProperty "PreventOverrideAppRepUnknown"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-033"
Task = "Set registry value 'PreventOverride' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" `
-Name "PreventOverride" `
| Select-Object -ExpandProperty "PreventOverride"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-034"
Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" `
-Name "EnabledV9" `
| Select-Object -ExpandProperty "EnabledV9"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-035"
Task = "Set registry value 'NoCrashDetection' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" `
-Name "NoCrashDetection" `
| Select-Object -ExpandProperty "NoCrashDetection"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-036"
Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" `
-Name "DisableSecuritySettingsCheck" `
| Select-Object -ExpandProperty "DisableSecuritySettingsCheck"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-037"
Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" `
-Name "BlockNonAdminActiveXInstall" `
| Select-Object -ExpandProperty "BlockNonAdminActiveXInstall"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-038"
Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" `
-Name "OnlyUseAXISForActiveXInstall" `
| Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-039"
Task = "Set registry value 'Security_zones_map_edit' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "Security_zones_map_edit" `
| Select-Object -ExpandProperty "Security_zones_map_edit"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-040"
Task = "Set registry value 'Security_options_edit' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "Security_options_edit" `
| Select-Object -ExpandProperty "Security_options_edit"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-041"
Task = "Set registry value 'Security_HKLM_only' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "Security_HKLM_only" `
| Select-Object -ExpandProperty "Security_HKLM_only"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-042"
Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "CertificateRevocation" `
| Select-Object -ExpandProperty "CertificateRevocation"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-043"
Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "PreventIgnoreCertErrors" `
| Select-Object -ExpandProperty "PreventIgnoreCertErrors"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-044"
Task = "Set registry value 'WarnOnBadCertRecving' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "WarnOnBadCertRecving" `
| Select-Object -ExpandProperty "WarnOnBadCertRecving"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-045"
Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "EnableSSL3Fallback" `
| Select-Object -ExpandProperty "EnableSSL3Fallback"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-046"
Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
-Name "SecureProtocols" `
| Select-Object -ExpandProperty "SecureProtocols"
if ($regValue -ne 2560) {
return @{
Message = "Registry value is '$regValue'. Expected: 2560"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-047"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-048"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-049"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-050"
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\3]"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" `
-Name "2301" `
| Select-Object -ExpandProperty "2301"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-051"
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\4]"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" `
-Name "2301" `
| Select-Object -ExpandProperty "2301"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-052"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-053"
Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" `
-Name "UNCAsIntranet" `
| Select-Object -ExpandProperty "UNCAsIntranet"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-054"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-055"
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" `
-Name "270C" `
| Select-Object -ExpandProperty "270C"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-056"
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" `
-Name "270C" `
| Select-Object -ExpandProperty "270C"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-057"
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" `
-Name "1201" `
| Select-Object -ExpandProperty "1201"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-058"
Task = "Ensure 'Java permissions' is set to 'High safety'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 65536) {
return @{
Message = "Registry value is '$regValue'. Expected: 65536"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-059"
Task = "Ensure 'Java permissions' is set to 'High safety'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 65536) {
return @{
Message = "Registry value is '$regValue'. Expected: 65536"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-060"
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" `
-Name "270C" `
| Select-Object -ExpandProperty "270C"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-061"
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" `
-Name "1201" `
| Select-Object -ExpandProperty "1201"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-062"
Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2001" `
| Select-Object -ExpandProperty "2001"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-063"
Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2102" `
| Select-Object -ExpandProperty "2102"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-064"
Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1802" `
| Select-Object -ExpandProperty "1802"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-065"
Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "160A" `
| Select-Object -ExpandProperty "160A"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-066"
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1201" `
| Select-Object -ExpandProperty "1201"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-067"
Task = "Ensure 'Access data sources across domains' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1406" `
| Select-Object -ExpandProperty "1406"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-068"
Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1804" `
| Select-Object -ExpandProperty "1804"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-069"
Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2200" `
| Select-Object -ExpandProperty "2200"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-070"
Task = "Ensure 'Allow scriptlets' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1209" `
| Select-Object -ExpandProperty "1209"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-071"
Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1206" `
| Select-Object -ExpandProperty "1206"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-072"
Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1809" `
| Select-Object -ExpandProperty "1809"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-073"
Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2500" `
| Select-Object -ExpandProperty "2500"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-074"
Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2103" `
| Select-Object -ExpandProperty "2103"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-075"
Task = "Ensure 'Userdata persistence' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1606" `
| Select-Object -ExpandProperty "1606"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-076"
Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2402" `
| Select-Object -ExpandProperty "2402"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-077"
Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2004" `
| Select-Object -ExpandProperty "2004"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-078"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-079"
Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1001" `
| Select-Object -ExpandProperty "1001"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-080"
Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1A00" `
| Select-Object -ExpandProperty "1A00"
if ($regValue -ne 65536) {
return @{
Message = "Registry value is '$regValue'. Expected: 65536"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-081"
Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2708" `
| Select-Object -ExpandProperty "2708"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-082"
Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1004" `
| Select-Object -ExpandProperty "1004"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-083"
Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "120b" `
| Select-Object -ExpandProperty "120b"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-084"
Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1407" `
| Select-Object -ExpandProperty "1407"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-085"
Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1409" `
| Select-Object -ExpandProperty "1409"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-086"
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "270C" `
| Select-Object -ExpandProperty "270C"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-087"
Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1607" `
| Select-Object -ExpandProperty "1607"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-088"
Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2709" `
| Select-Object -ExpandProperty "2709"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-089"
Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2101" `
| Select-Object -ExpandProperty "2101"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-090"
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\3]"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "2301" `
| Select-Object -ExpandProperty "2301"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-091"
Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "1806" `
| Select-Object -ExpandProperty "1806"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-092"
Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "120c" `
| Select-Object -ExpandProperty "120c"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-093"
Task = "Set registry value '140C' to 3."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
-Name "140C" `
| Select-Object -ExpandProperty "140C"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-094"
Task = "Ensure 'Allow META REFRESH' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1608" `
| Select-Object -ExpandProperty "1608"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-095"
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1201" `
| Select-Object -ExpandProperty "1201"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-096"
Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1001" `
| Select-Object -ExpandProperty "1001"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-097"
Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1607" `
| Select-Object -ExpandProperty "1607"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-098"
Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "120b" `
| Select-Object -ExpandProperty "120b"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-099"
Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1809" `
| Select-Object -ExpandProperty "1809"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-100"
Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1004" `
| Select-Object -ExpandProperty "1004"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-101"
Task = "Ensure 'Userdata persistence' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1606" `
| Select-Object -ExpandProperty "1606"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-102"
Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1407" `
| Select-Object -ExpandProperty "1407"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-103"
Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "160A" `
| Select-Object -ExpandProperty "160A"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-104"
Task = "Ensure 'Access data sources across domains' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1406" `
| Select-Object -ExpandProperty "1406"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-105"
Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2102" `
| Select-Object -ExpandProperty "2102"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-106"
Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2004" `
| Select-Object -ExpandProperty "2004"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-107"
Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2200" `
| Select-Object -ExpandProperty "2200"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-108"
Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2000" `
| Select-Object -ExpandProperty "2000"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-109"
Task = "Ensure 'Scripting of Java applets' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1402" `
| Select-Object -ExpandProperty "1402"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-110"
Task = "Ensure 'Allow file downloads' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1803" `
| Select-Object -ExpandProperty "1803"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-111"
Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2402" `
| Select-Object -ExpandProperty "2402"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-112"
Task = "Ensure 'Allow active scripting' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1400" `
| Select-Object -ExpandProperty "1400"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-113"
Task = "Ensure 'Logon options' is set to 'Anonymous logon'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1A00" `
| Select-Object -ExpandProperty "1A00"
if ($regValue -ne 196608) {
return @{
Message = "Registry value is '$regValue'. Expected: 196608"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-114"
Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2001" `
| Select-Object -ExpandProperty "2001"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-115"
Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2500" `
| Select-Object -ExpandProperty "2500"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-116"
Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1409" `
| Select-Object -ExpandProperty "1409"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-117"
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1C00" `
| Select-Object -ExpandProperty "1C00"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-118"
Task = "Ensure 'Allow scriptlets' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1209" `
| Select-Object -ExpandProperty "1209"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-119"
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "270C" `
| Select-Object -ExpandProperty "270C"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-120"
Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1206" `
| Select-Object -ExpandProperty "1206"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-121"
Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2708" `
| Select-Object -ExpandProperty "2708"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-122"
Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1802" `
| Select-Object -ExpandProperty "1802"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-123"
Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2103" `
| Select-Object -ExpandProperty "2103"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-124"
Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2709" `
| Select-Object -ExpandProperty "2709"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-125"
Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1405" `
| Select-Object -ExpandProperty "1405"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-126"
Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2101" `
| Select-Object -ExpandProperty "2101"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-127"
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\4]"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "2301" `
| Select-Object -ExpandProperty "2301"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-128"
Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1200" `
| Select-Object -ExpandProperty "1200"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-129"
Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1804" `
| Select-Object -ExpandProperty "1804"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-130"
Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "1806" `
| Select-Object -ExpandProperty "1806"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-131"
Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "120c" `
| Select-Object -ExpandProperty "120c"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-132"
Task = "Set registry value '140C' to 3."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
-Name "140C" `
| Select-Object -ExpandProperty "140C"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-133"
Task = "Ensure 'Turn off Autoplay' is set to 'All drives'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
-Name "NoDriveTypeAutoRun" `
| Select-Object -ExpandProperty "NoDriveTypeAutoRun"
if ($regValue -ne 255) {
return @{
Message = "Registry value is '$regValue'. Expected: 255"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-134"
Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
-Name "NoAutorun" `
| Select-Object -ExpandProperty "NoAutorun"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-135"
Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "DisableAutomaticRestartSignOn" `
| Select-Object -ExpandProperty "DisableAutomaticRestartSignOn"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-136"
Task = "Set registry value 'LocalAccountTokenFilterPolicy' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "LocalAccountTokenFilterPolicy" `
| Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-143"
Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if ($regValue -ne 32768) {
return @{
Message = "Registry value is '$regValue'. Expected: 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-153"
Task = "Set registry value 'NoLockScreenCamera' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" `
-Name "NoLockScreenCamera" `
| Select-Object -ExpandProperty "NoLockScreenCamera"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-157"
Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
-Name "EnumerateLocalUsers" `
| Select-Object -ExpandProperty "EnumerateLocalUsers"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-169"
Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" `
-Name "RestrictRemoteClients" `
| Select-Object -ExpandProperty "RestrictRemoteClients"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-186"
Task = "Set registry value 'AdmPwdEnabled' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" `
-Name "AdmPwdEnabled" `
| Select-Object -ExpandProperty "AdmPwdEnabled"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-197"
Task = "Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA)."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "RestrictRemoteSAM" `
| Select-Object -ExpandProperty "RestrictRemoteSAM"
if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") {
return @{
Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-198"
Task = "Set registry value 'EnablePlainTextPassword' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
-Name "EnablePlainTextPassword" `
| Select-Object -ExpandProperty "EnablePlainTextPassword"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-199"
Task = "Set registry value 'NoLMHash' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "NoLMHash" `
| Select-Object -ExpandProperty "NoLMHash"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-200"
Task = "Set registry value 'LimitBlankPasswordUse' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "LimitBlankPasswordUse" `
| Select-Object -ExpandProperty "LimitBlankPasswordUse"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-201"
Task = "Set registry value 'ProtectionMode' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" `
-Name "ProtectionMode" `
| Select-Object -ExpandProperty "ProtectionMode"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-202"
Task = "Set registry value 'RestrictAnonymous' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "RestrictAnonymous" `
| Select-Object -ExpandProperty "RestrictAnonymous"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-203"
Task = "Set registry value 'RestrictNullSessAccess' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" `
-Name "RestrictNullSessAccess" `
| Select-Object -ExpandProperty "RestrictNullSessAccess"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-204"
Task = "Set registry value 'RestrictAnonymousSAM' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "RestrictAnonymousSAM" `
| Select-Object -ExpandProperty "RestrictAnonymousSAM"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-205"
Task = "Set registry value 'requirestrongkey' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "requirestrongkey" `
| Select-Object -ExpandProperty "requirestrongkey"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-206"
Task = "Set registry value 'requiresecuritysignature' to 1."
Test = {
try {
if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){
return @{
Message = "RequireSecuritySignature is not set to True"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch {
try{
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" `
-Name "RequireSecuritySignature" `
| Select-Object -ExpandProperty "RequireSecuritySignature"
return @{
Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here"
Status = "Warning"
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
}
}
}
[AuditTest] @{
Id = "Registry-207"
Task = "Set registry value 'RequireSecuritySignature' to 1."
Test = {
try {
if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){
return @{
Message = "RequireSecuritySignature is not set to True"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch {
try{
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
-Name "RequireSecuritySignature" `
| Select-Object -ExpandProperty "RequireSecuritySignature"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
}
}
}
[AuditTest] @{
Id = "Registry-208"
Task = "Set registry value 'signsecurechannel' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "signsecurechannel" `
| Select-Object -ExpandProperty "signsecurechannel"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-277"
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. (Member Server)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "LsaCfgFlags" `
| Select-Object -ExpandProperty "LsaCfgFlags"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-279"
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "EnableVirtualizationBasedSecurity" `
| Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-280"
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "RequirePlatformSecurityFeatures" `
| Select-Object -ExpandProperty "RequirePlatformSecurityFeatures"
if ($regValue -eq 3) {
return @{
Message = "Set to 'Secure Boot and DMA Protection' which is more secure."
Status = "True"
}
}
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-281"
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "HypervisorEnforcedCodeIntegrity" `
| Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-282"
Task = "Set registry value 'HVCIMATRequired' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "HVCIMATRequired" `
| Select-Object -ExpandProperty "HVCIMATRequired"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-283"
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Disabled'. (Domain Controller)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "LsaCfgFlags" `
| Select-Object -ExpandProperty "LsaCfgFlags"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-284"
Task = "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
-Name "ConfigureSystemGuardLaunch" `
| Select-Object -ExpandProperty "ConfigureSystemGuardLaunch"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-285"
Task = "Set registry value 'PUAProtection' to 1."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" `
-Name "PUAProtection" `
| Select-Object -ExpandProperty "PUAProtection"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-286"
Task = "Set registry value 'MpCloudBlockLevel' to 2."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" `
-Name "MpCloudBlockLevel" `
| Select-Object -ExpandProperty "MpCloudBlockLevel"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-287"
Task = "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
-Name "DisableIOAVProtection" `
| Select-Object -ExpandProperty "DisableIOAVProtection"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-288"
Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
-Name "DisableRealtimeMonitoring" `
| Select-Object -ExpandProperty "DisableRealtimeMonitoring"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-289"
Task = "Ensure 'Turn on script scanning' is set to 'Enabled'"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
-Name "DisableScriptScanning" `
| Select-Object -ExpandProperty "DisableScriptScanning"
if (($regValue -ne 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-290"
Task = "Ensure 'Scan removable drives' is set to 'Enabled'."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" `
-Name "DisableRemovableDriveScanning" `
| Select-Object -ExpandProperty "DisableRemovableDriveScanning"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-291"
Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "SubmitSamplesConsent" `
| Select-Object -ExpandProperty "SubmitSamplesConsent"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-292"
Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "SpynetReporting" `
| Select-Object -ExpandProperty "SpynetReporting"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-293"
Task = "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
-Name "DisableBlockAtFirstSeen" `
| Select-Object -ExpandProperty "DisableBlockAtFirstSeen"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-294"
Task = "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR"
$Value = "ExploitGuard_ASR_Rules"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR"
$Value2 = "ExploitGuard_ASR_Rules"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-295"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-296"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "3b576869-a4ec-4529-8536-b80a7769e899"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "3b576869-a4ec-4529-8536-b80a7769e899"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-297"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-298"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-299"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-300"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "d3e037e1-3eb8-44c8-a917-57927947596d"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-301"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-302"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-303"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-304"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "26190899-1602-49e8-8b27-eb1d0a1ce869"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-305"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-306"
Task = "Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "c1db55ab-c21a-4637-bb3f-a12568109d35"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "c1db55ab-c21a-4637-bb3f-a12568109d35"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-307"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if($asrTest1){
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if($asrTest2){
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-308"
Task = "Set registry value 'EnableNetworkProtection' to 1."
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" `
-Name "EnableNetworkProtection" `
| Select-Object -ExpandProperty "EnableNetworkProtection"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-316"
Task = "Set registry value 'FormSuggest Passwords' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" `
-Name "FormSuggest Passwords" `
| Select-Object -ExpandProperty "FormSuggest Passwords"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-317"
Task = "Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" `
-Name "FormSuggest PW Ask" `
| Select-Object -ExpandProperty "FormSuggest PW Ask"
if ($regValue -ne "no") {
return @{
Message = "Registry value is '$regValue'. Expected: no"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-318"
Task = "Set registry value 'FormSuggest Passwords' to no."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" `
-Name "FormSuggest Passwords" `
| Select-Object -ExpandProperty "FormSuggest Passwords"
if ($regValue -ne "no") {
return @{
Message = "Registry value is '$regValue'. Expected: no"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-322"
Task = "Set registry value 'AllowEncryptionOracle' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" `
-Name "AllowEncryptionOracle" `
| Select-Object -ExpandProperty "AllowEncryptionOracle"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-323"
Task = "Set registry value 'EnhancedAntiSpoofing' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures" `
-Name "EnhancedAntiSpoofing" `
| Select-Object -ExpandProperty "EnhancedAntiSpoofing"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-324"
Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" `
-Name "DisableEnclosureDownload" `
| Select-Object -ExpandProperty "DisableEnclosureDownload"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-325"
Task = "Set registry value 'AllowProtectedCreds' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" `
-Name "AllowProtectedCreds" `
| Select-Object -ExpandProperty "AllowProtectedCreds"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-326"
Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if ($regValue -ne 32768) {
return @{
Message = "Registry value is '$regValue'. Expected: 32768"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-327"
Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" `
-Name "MaxSize" `
| Select-Object -ExpandProperty "MaxSize"
if ($regValue -ne 196608) {
return @{
Message = "Registry value is '$regValue'. Expected: 196608"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-329"
Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" `
-Name "NoAutoplayfornonVolume" `
| Select-Object -ExpandProperty "NoAutoplayfornonVolume"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-330"
Task = "Ensure 'Configure registry policy processing' is set to '0'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" `
-Name "NoBackgroundPolicy" `
| Select-Object -ExpandProperty "NoBackgroundPolicy"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-331"
Task = "Ensure 'Configure registry policy processing' is set to '0'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" `
-Name "NoGPOListChanges" `
| Select-Object -ExpandProperty "NoGPOListChanges"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-332"
Task = "Set registry value 'AlwaysInstallElevated' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" `
-Name "AlwaysInstallElevated" `
| Select-Object -ExpandProperty "AlwaysInstallElevated"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-333"
Task = "Ensure 'Allow user control over installs' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" `
-Name "EnableUserControl" `
| Select-Object -ExpandProperty "EnableUserControl"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-334"
Task = "Set registry value 'DeviceEnumerationPolicy' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" `
-Name "DeviceEnumerationPolicy" `
| Select-Object -ExpandProperty "DeviceEnumerationPolicy"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-335"
Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" `
-Name "AllowInsecureGuestAuth" `
| Select-Object -ExpandProperty "AllowInsecureGuestAuth"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-336"
Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" `
-Name "\\*\NETLOGON" `
| Select-Object -ExpandProperty "\\*\NETLOGON"
if($regValue -eq $null){
return @{
Message = "Registry key not found."
Status = "False"
}
}
$array = $regValue.Split(',') | ForEach-Object{ $_.Trim() }
$missingElements = @()
$elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1")
foreach ($element in $elementsToCheck) {
if ($array -notcontains $element) {
$missingElements += $element
}
}
if ($missingElements.Length -gt 0) {
return @{
Message = ($missingElements -join " and ") + " not configured correctly."
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-337"
Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" `
-Name "\\*\SYSVOL" `
| Select-Object -ExpandProperty "\\*\SYSVOL"
if($regValue -eq $null){
return @{
Message = "Registry key not found."
Status = "False"
}
}
$array = $regValue.Split(',') | ForEach-Object{ $_.Trim() }
$missingElements = @()
$elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1")
foreach ($element in $elementsToCheck) {
if ($array -notcontains $element) {
$missingElements += $element
}
}
if ($missingElements.Length -gt 0) {
return @{
Message = ($missingElements -join " and ") + " not configured correctly."
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-339"
Task = "Set registry value 'NoLockScreenSlideshow' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" `
-Name "NoLockScreenSlideshow" `
| Select-Object -ExpandProperty "NoLockScreenSlideshow"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-340"
Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name "EnableScriptBlockLogging" `
| Select-Object -ExpandProperty "EnableScriptBlockLogging"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-341"
Task = "Ensure 'Turn on PowerShell Script Block Logging' is not set."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name "EnableScriptBlockInvocationLogging" `
| Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-343"
Task = "Set registry value 'EnforcementMode' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Appx" `
-Name "EnforcementMode" `
| Select-Object -ExpandProperty "EnforcementMode"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-358"
Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
-Name "EnableSmartScreen" `
| Select-Object -ExpandProperty "EnableSmartScreen"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-359"
Task = "Set registry value 'ShellSmartScreenLevel' to Block."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
-Name "ShellSmartScreenLevel" `
| Select-Object -ExpandProperty "ShellSmartScreenLevel"
if ($regValue -ne "Block") {
return @{
Message = "Registry value is '$regValue'. Expected: Block"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-360"
Task = "Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" `
-Name "AllowIndexingEncryptedStoresOrItems" `
| Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-361"
Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" `
-Name "AllowBasic" `
| Select-Object -ExpandProperty "AllowBasic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-362"
Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" `
-Name "AllowUnencryptedTraffic" `
| Select-Object -ExpandProperty "AllowUnencryptedTraffic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-363"
Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" `
-Name "AllowDigest" `
| Select-Object -ExpandProperty "AllowDigest"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-364"
Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" `
-Name "AllowBasic" `
| Select-Object -ExpandProperty "AllowBasic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-365"
Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" `
-Name "AllowUnencryptedTraffic" `
| Select-Object -ExpandProperty "AllowUnencryptedTraffic"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-366"
Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" `
-Name "DisableRunAs" `
| Select-Object -ExpandProperty "DisableRunAs"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-367"
Task = "Ensure 'Turn off multicast name resolution' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" `
-Name "EnableMulticast" `
| Select-Object -ExpandProperty "EnableMulticast"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-368"
Task = "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
-Name "RestrictDriverInstallationToAdministrators" `
| Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators"
if (($regValue -ne 1)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-369"
Task = "Set registry value 'DisablePasswordSaving' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "DisablePasswordSaving" `
| Select-Object -ExpandProperty "DisablePasswordSaving"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-370"
Task = "Set registry value 'fDisableCdm' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fDisableCdm" `
| Select-Object -ExpandProperty "fDisableCdm"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-371"
Task = "Set registry value 'fPromptForPassword' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fPromptForPassword" `
| Select-Object -ExpandProperty "fPromptForPassword"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-372"
Task = "Set registry value 'fEncryptRPCTraffic' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "fEncryptRPCTraffic" `
| Select-Object -ExpandProperty "fEncryptRPCTraffic"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-373"
Task = "Set registry value 'MinEncryptionLevel' to 3."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "MinEncryptionLevel" `
| Select-Object -ExpandProperty "MinEncryptionLevel"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-375"
Task = "Domain: Set registry value 'DefaultOutboundAction' to 0."
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"
$key = "DefaultOutboundAction"
$expectedValue = 0;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-376"
Task = "Domain: Set registry value 'DefaultInboundAction' to 1."
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"
$key = "DefaultInboundAction"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-377"
Task = "Domain: Set registry value 'EnableFirewall' to 1."
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile";
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile";
$key = "EnableFirewall";
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-378"
Task = "Private: Set registry value 'EnableFirewall' to 1."
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
$key = "EnableFirewall"
$expectedValue = 1;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-379"
Task = "Private: Set registry value 'DefaultInboundAction' to 1."
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
$key = "DefaultInboundAction"
$expectedValue = 1;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-380"
Task = "Private: Set registry value 'DefaultOutboundAction' to 0."
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
$key = "DefaultOutboundAction"
$expectedValue = 0;
$profileType = "Private"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-381"
Task = "Public: Set registry value 'EnableFirewall' to 1."
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "EnableFirewall"
$expectedValue = 1;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-382"
Task = "Public: Set registry value 'DefaultOutboundAction' to 0."
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "DefaultOutboundAction"
$expectedValue = 0;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-383"
Task = "Public: Set registry value 'DefaultInboundAction' to 1."
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
$key = "DefaultInboundAction"
$expectedValue = 1;
$profileType = "Public"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "Registry-384"
Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" `
-Name "AllowWindowsInkWorkspace" `
| Select-Object -ExpandProperty "AllowWindowsInkWorkspace"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-385"
Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
-Name "UseLogonCredential" `
| Select-Object -ExpandProperty "UseLogonCredential"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-386"
Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" `
-Name "DisableExceptionChainValidation" `
| Select-Object -ExpandProperty "DisableExceptionChainValidation"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-387"
Task = "Set registry value 'DriverLoadPolicy' to 3."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" `
-Name "DriverLoadPolicy" `
| Select-Object -ExpandProperty "DriverLoadPolicy"
if ($regValue -ne 3) {
return @{
Message = "Registry value is '$regValue'. Expected: 3"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-388"
Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
-Name "SMB1" `
| Select-Object -ExpandProperty "SMB1"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-389"
Task = "Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb10" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-390"
Task = "Set registry value 'NoNameReleaseOnDemand' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" `
-Name "NoNameReleaseOnDemand" `
| Select-Object -ExpandProperty "NoNameReleaseOnDemand"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-391"
Task = "Set registry value 'NodeType' to 2."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" `
-Name "NodeType" `
| Select-Object -ExpandProperty "NodeType"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-392"
Task = "Set registry value 'EnableICMPRedirect' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" `
-Name "EnableICMPRedirect" `
| Select-Object -ExpandProperty "EnableICMPRedirect"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-393"
Task = "Set registry value 'DisableIPSourceRouting' to 2."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" `
-Name "DisableIPSourceRouting" `
| Select-Object -ExpandProperty "DisableIPSourceRouting"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-394"
Task = "Set registry value 'DisableIPSourceRouting' to 2."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" `
-Name "DisableIPSourceRouting" `
| Select-Object -ExpandProperty "DisableIPSourceRouting"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-395"
Task = "Set registry value 'allownullsessionfallback' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name "allownullsessionfallback" `
| Select-Object -ExpandProperty "allownullsessionfallback"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-396"
Task = "Set registry value 'InactivityTimeoutSecs' to 900."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "InactivityTimeoutSecs" `
| Select-Object -ExpandProperty "InactivityTimeoutSecs"
if ($regValue -ne 900) {
return @{
Message = "Registry value is '$regValue'. Expected: 900"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-397"
Task = "Set registry value 'ScRemoveOption' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" `
-Name "ScRemoveOption" `
| Select-Object -ExpandProperty "ScRemoveOption"
if ($regValue -ne "1") {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-398"
Task = "Set registry value 'SCENoApplyLegacyAuditPolicy' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "SCENoApplyLegacyAuditPolicy" `
| Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-399"
Task = "Set registry value 'EnableVirtualization' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableVirtualization" `
| Select-Object -ExpandProperty "EnableVirtualization"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-400"
Task = "Set registry value 'FilterAdministratorToken' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "FilterAdministratorToken" `
| Select-Object -ExpandProperty "FilterAdministratorToken"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-401"
Task = "Set registry value 'EnableLUA' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableLUA" `
| Select-Object -ExpandProperty "EnableLUA"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-402"
Task = "Set registry value 'EnableInstallerDetection' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableInstallerDetection" `
| Select-Object -ExpandProperty "EnableInstallerDetection"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-403"
Task = "Set registry value 'ConsentPromptBehaviorAdmin' to 2."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "ConsentPromptBehaviorAdmin" `
| Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-404"
Task = "Set registry value 'ConsentPromptBehaviorUser' to 0."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "ConsentPromptBehaviorUser" `
| Select-Object -ExpandProperty "ConsentPromptBehaviorUser"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-405"
Task = "Set registry value 'EnableSecureUIAPaths' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "EnableSecureUIAPaths" `
| Select-Object -ExpandProperty "EnableSecureUIAPaths"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-406"
Task = "Set registry value 'LDAPClientIntegrity' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" `
-Name "LDAPClientIntegrity" `
| Select-Object -ExpandProperty "LDAPClientIntegrity"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-407"
Task = "Set registry value 'LmCompatibilityLevel' to 5."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "LmCompatibilityLevel" `
| Select-Object -ExpandProperty "LmCompatibilityLevel"
if ($regValue -ne 5) {
return @{
Message = "Registry value is '$regValue'. Expected: 5"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-408"
Task = "Set registry value 'NTLMMinClientSec' to 537395200."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name "NTLMMinClientSec" `
| Select-Object -ExpandProperty "NTLMMinClientSec"
if ($regValue -ne 537395200) {
return @{
Message = "Registry value is '$regValue'. Expected: 537395200"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-409"
Task = "Set registry value 'sealsecurechannel' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "sealsecurechannel" `
| Select-Object -ExpandProperty "sealsecurechannel"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-410"
Task = "Set registry value 'NTLMMinServerSec' to 537395200."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name "NTLMMinServerSec" `
| Select-Object -ExpandProperty "NTLMMinServerSec"
if ($regValue -ne 537395200) {
return @{
Message = "Registry value is '$regValue'. Expected: 537395200"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-411"
Task = "Set registry value 'requiresignorseal' to 1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
-Name "requiresignorseal" `
| Select-Object -ExpandProperty "requiresignorseal"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-423"
Task = "Set registry value 'LDAPServerIntegrity' to 2."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LDAPServerIntegrity" `
| Select-Object -ExpandProperty "LDAPServerIntegrity"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "Registry-424"
Task = "Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled, always (recommended)'."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LdapEnforceChannelBinding" `
| Select-Object -ExpandProperty "LdapEnforceChannelBinding"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}