emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
atap/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AccountPolicies.ps1
T
emily 404ee3fec4 a
2026-05-11 09:15:08 +02:00

284 lines
8.2 KiB
PowerShell
Raw Permalink Blame History

[AuditTest] @{
Id = "1.1.1"
Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordHistorySize"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 24) {
return @{
Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 365 -or $setPolicy -le 0)) {
if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy
$setPolicy = "Password never expires"
}
return @{
Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 1)) {
return @{
Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 14)) {
return @{
Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["PasswordComplexity"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutDuration"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["LockoutBadCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -gt 5 -or $setPolicy -le 0)) {
return @{
Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 1) {
return @{
Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ResetLockoutCount"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if (($setPolicy -lt 15)) {
return @{
Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15 minutes"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
Reference in New Issue View Git Blame Copy Permalink