emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
atap/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies.ps1
T
emily 404ee3fec4 a
2026-05-11 09:15:08 +02:00

172 lines
4.9 KiB
PowerShell
Raw Permalink Blame History

[AuditTest] @{
Id = "200"
Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "201"
Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "202"
Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "203"
Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "204"
Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "205"
Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ."
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
Reference in New Issue View Git Blame Copy Permalink