197 lines
5.5 KiB
PowerShell
197 lines
5.5 KiB
PowerShell
[AuditTest] @{
|
|
Id = "AccountPolicy-361"
|
|
Task = "Ensure 'MinimumPasswordLength' is set to '14' character(s)."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 14) {
|
|
return @{
|
|
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "AccountPolicy-362"
|
|
Task = "The built-in Windows password complexity policy must be enabled."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 1) {
|
|
return @{
|
|
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "AccountPolicy-363"
|
|
Task = "The password history must be configured to 24 passwords remembered"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 24) {
|
|
return @{
|
|
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "AccountPolicy-364"
|
|
Task = "Ensure 'LockoutBadCount' is set to '10' invalid logon attempt(s)"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 10) {
|
|
return @{
|
|
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "AccountPolicy-365"
|
|
Task = "Ensure 'Reset account lockout counter after' is set to '10 minutes'"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 10) {
|
|
return @{
|
|
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 10 minutes"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "AccountPolicy-366"
|
|
Task = "Ensure 'LockoutDuration' is set to '10 minutes'"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 10) {
|
|
return @{
|
|
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 10 minutes"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "AccountPolicy-367"
|
|
Task = "Reversible password encryption must be disabled."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
|
|
|
|
if ($null -eq $setPolicy) {
|
|
return @{
|
|
Message = "Currently not set."
|
|
Status = "False"
|
|
}
|
|
}
|
|
$setPolicy = [long]$setPolicy
|
|
|
|
if ($setPolicy -ne 0) {
|
|
return @{
|
|
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|