1480 lines
58 KiB
PowerShell
1480 lines
58 KiB
PowerShell
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
|
|
$RootPath = Split-Path $RootPath -Parent
|
|
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
|
|
$hyperVStatus = CheckHyperVStatus
|
|
# Common
|
|
function ConvertTo-NTAccountUser {
|
|
[CmdletBinding()]
|
|
[OutputType([hashtable])]
|
|
Param(
|
|
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
|
|
[string] $Name
|
|
)
|
|
|
|
process {
|
|
try {
|
|
# Convert Domaingroups to german
|
|
$language = Get-UICulture
|
|
if ($language.Name -match "de-DE"){
|
|
if ($name -eq "Enterprise Admins"){
|
|
$name = "Organisations-Admins"
|
|
}
|
|
elseif ($name -eq "Domain Admins"){
|
|
$name = "Domänen-Admins"
|
|
}
|
|
}
|
|
|
|
# Convert friendlynames to SID
|
|
$map = @{
|
|
"Administrators" = "S-1-5-32-544"
|
|
"Guests" = "S-1-5-32-546"
|
|
"Local account" = "S-1-5-113"
|
|
"Local Service" = "S-1-5-19"
|
|
"Network Service" = "S-1-5-20"
|
|
"NT AUTHORITY\Authenticated Users" = "S-1-5-11"
|
|
"Remote Desktop Users" = "S-1-5-32-555"
|
|
"Service" = "S-1-5-6"
|
|
"Users" = "S-1-5-32-545"
|
|
"NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0"
|
|
}
|
|
|
|
if ($map.ContainsKey($name)) {
|
|
$name = $map[$name]
|
|
}
|
|
|
|
# Identity doesn't exist on when Hyper-V isn't installed
|
|
if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") {
|
|
return $null
|
|
}
|
|
|
|
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
|
|
if ($Name -match "^(S-[0-9-]{3,})") {
|
|
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
|
|
}
|
|
else {
|
|
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
|
|
}
|
|
if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") {
|
|
return @{
|
|
Account = $null
|
|
Sid = $sidAccount.Value
|
|
}
|
|
} else {
|
|
return @{
|
|
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
|
|
Sid = $sidAccount.Value
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
return @{
|
|
Account = "Orphaned Account"
|
|
Sid = $Name
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# Tests
|
|
[AuditTest] @{
|
|
Id = "277"
|
|
Task = "(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-19"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "278"
|
|
Task = "(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-19"
|
|
"S-1-5-32-545"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "279"
|
|
Task = "(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.`n`n"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-90-0"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "280"
|
|
Task = "(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-7"
|
|
"S-1-5-32-546"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
if($hyperVStatus -ne "Enabled"){
|
|
[AuditTest] @{
|
|
Id = "281"
|
|
Task = "(HD) Configure 'Log on as a service'. [Hyper-V-Feature NOT installed]"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages = @()
|
|
$messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else{
|
|
[AuditTest] @{
|
|
Id = "281"
|
|
Task = "(HD) Configure 'Log on as a service'. [Hyper-V-Feature installed]"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-83-0"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "282"
|
|
Task = "(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-7"
|
|
"S-1-5-32-546"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "283"
|
|
Task = "(HD) Ensure 'Log on as a batch job' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "284"
|
|
Task = "(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"]
|
|
$missingUsers = @()
|
|
|
|
#save all sids
|
|
foreach($sid in $currentUserRights.sid){
|
|
$currentUserSIDs += $sid
|
|
}
|
|
#only these sids have to be in userRight
|
|
$identityAccounts = @(
|
|
"S-1-5-7"
|
|
"S-1-5-32-546"
|
|
"S-1-2-0"
|
|
)
|
|
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "285"
|
|
Task = "(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-32-555"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages = @()
|
|
$messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "286"
|
|
Task = "(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-19"
|
|
"S-1-5-20"
|
|
"S-1-5-6"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "287"
|
|
Task = "(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.`n`n"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-19"
|
|
"S-1-5-20"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "288"
|
|
Task = "(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "289"
|
|
Task = "(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-32-555"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages = @()
|
|
$messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "290"
|
|
Task = "(ND, NE) Ensure 'Debug programs' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages = @()
|
|
$messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
#No UserRights on System comparing to publisher recommendation
|
|
if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation."
|
|
}
|
|
}
|
|
#Less UserRights on System comparing to publisher recommendation
|
|
if($currentUserRights.Count -lt $identityAccounts.Count){
|
|
$users = ""
|
|
foreach($currentUser in $currentUserRights){
|
|
$users += $currentUser.Values
|
|
}
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)"
|
|
}
|
|
}
|
|
#Same UserRights on System comparing to publisher recommendation
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "291"
|
|
Task = "(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "292"
|
|
Task = "(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "293"
|
|
Task = "(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "294"
|
|
Task = "(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-19"
|
|
"S-1-5-20"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "295"
|
|
Task = "(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "296"
|
|
Task = "(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "297"
|
|
Task = "(ND, NE) Ensure 'Profile single process' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "298"
|
|
Task = "(ND, NE) Ensure 'Create a token object' is set to 'No One'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "299"
|
|
Task = "(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-19"
|
|
"S-1-5-20"
|
|
"S-1-5-6"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "300"
|
|
Task = "(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "301"
|
|
Task = "(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "302"
|
|
Task = "(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "303"
|
|
Task = "(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-19"
|
|
"S-1-5-20"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "304"
|
|
Task = "(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-32-545"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "305"
|
|
Task = "(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "306"
|
|
Task = "(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.`n"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-7"
|
|
"S-1-5-32-546"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "307"
|
|
Task = "(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
"S-1-5-32-545"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "308"
|
|
Task = "(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "309"
|
|
Task = "(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "310"
|
|
Task = "(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' ."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "311"
|
|
Task = "(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "312"
|
|
Task = "(ND, NE) Ensure 'Modify an object label' is set to 'No One'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"]
|
|
$identityAccounts = @(
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "313"
|
|
Task = "(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'."
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "314"
|
|
Task = "(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. "
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"]
|
|
$identityAccounts = @(
|
|
"S-1-5-32-544"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($unexpectedUsers.Count -gt 0) {
|
|
$messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
|
|
}
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "315"
|
|
Task = "(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. `n`n"
|
|
Test = {
|
|
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
|
|
$currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"]
|
|
$identityAccounts = @(
|
|
"S-1-5-7"
|
|
"S-1-5-32-546"
|
|
"S-1-5-113"
|
|
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
|
|
|
|
|
|
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
|
|
|
|
if (($missingUsers.Count -gt 0)) {
|
|
$messages = @()
|
|
if ($missingUsers.Count -gt 0) {
|
|
$messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ")
|
|
}
|
|
$message = $messages -join [System.Environment]::NewLine
|
|
|
|
return @{
|
|
Status = "False"
|
|
Message = $message
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Status = "True"
|
|
Message = "Compliant"
|
|
}
|
|
}
|
|
}
|