10969 lines
356 KiB
PowerShell
10969 lines
356 KiB
PowerShell
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
|
|
$RootPath = Split-Path $RootPath -Parent
|
|
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
|
|
$avstatus = CheckForActiveAV
|
|
$windefrunning = CheckWindefRunning
|
|
$hyperVStatus = CheckHyperVStatus
|
|
. "$RootPath\Helpers\Firewall.ps1"
|
|
[AuditTest] @{
|
|
Id = "Registry-001"
|
|
Task = "Set registry value 'PUAProtection' to 1."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" `
|
|
-Name "PUAProtection" `
|
|
| Select-Object -ExpandProperty "PUAProtection"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-002"
|
|
Task = "Set registry value 'MpCloudBlockLevel' to 2."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" `
|
|
-Name "MpCloudBlockLevel" `
|
|
| Select-Object -ExpandProperty "MpCloudBlockLevel"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-003"
|
|
Task = "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
|
|
-Name "DisableIOAVProtection" `
|
|
| Select-Object -ExpandProperty "DisableIOAVProtection"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-004"
|
|
Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
|
|
-Name "DisableRealtimeMonitoring" `
|
|
| Select-Object -ExpandProperty "DisableRealtimeMonitoring"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-005"
|
|
Task = "Ensure 'Scan removable drives' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" `
|
|
-Name "DisableRemovableDriveScanning" `
|
|
| Select-Object -ExpandProperty "DisableRemovableDriveScanning"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-006"
|
|
Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
|
|
-Name "SubmitSamplesConsent" `
|
|
| Select-Object -ExpandProperty "SubmitSamplesConsent"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-007"
|
|
Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
|
|
-Name "SpynetReporting" `
|
|
| Select-Object -ExpandProperty "SpynetReporting"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-008"
|
|
Task = "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
|
|
-Name "DisableBlockAtFirstSeen" `
|
|
| Select-Object -ExpandProperty "DisableBlockAtFirstSeen"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-009"
|
|
Task = "Set registry value 'ExploitGuard_ASR_Rules' to 1."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR"
|
|
$Value = "ExploitGuard_ASR_Rules"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR"
|
|
$Value2 = "ExploitGuard_ASR_Rules"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-010"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-011"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "3b576869-a4ec-4529-8536-b80a7769e899"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "3b576869-a4ec-4529-8536-b80a7769e899"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-012"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-013"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-014"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-015"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "d3e037e1-3eb8-44c8-a917-57927947596d"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-016"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-017"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-018"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-019"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "26190899-1602-49e8-8b27-eb1d0a1ce869"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-020"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-021"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "c1db55ab-c21a-4637-bb3f-a12568109d35"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "c1db55ab-c21a-4637-bb3f-a12568109d35"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-022"
|
|
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = 0;
|
|
$regValueTwo = 0;
|
|
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
|
|
|
|
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
|
|
if($asrTest1){
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path `
|
|
-Name $Value `
|
|
| Select-Object -ExpandProperty $Value
|
|
}
|
|
|
|
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
|
|
$Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
|
|
|
|
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
|
|
if($asrTest2){
|
|
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
|
|
-Path $Path2 `
|
|
-Name $Value2 `
|
|
| Select-Object -ExpandProperty $Value2
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-023"
|
|
Task = "Set registry value 'EnableNetworkProtection' to 1."
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" `
|
|
-Name "EnableNetworkProtection" `
|
|
| Select-Object -ExpandProperty "EnableNetworkProtection"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-024"
|
|
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
|
|
-Name "EnableVirtualizationBasedSecurity" `
|
|
| Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-025"
|
|
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
|
|
-Name "RequirePlatformSecurityFeatures" `
|
|
| Select-Object -ExpandProperty "RequirePlatformSecurityFeatures"
|
|
|
|
if ($regValue -eq 3) {
|
|
return @{
|
|
Message = "Set to 'Secure Boot and DMA Protection' which is more secure."
|
|
Status = "True"
|
|
}
|
|
}
|
|
|
|
if ($regValue -ne 1 -and $regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1 or (better) 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-026"
|
|
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
|
|
-Name "HypervisorEnforcedCodeIntegrity" `
|
|
| Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-027"
|
|
Task = "Set registry value 'HVCIMATRequired' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
|
|
-Name "HVCIMATRequired" `
|
|
| Select-Object -ExpandProperty "HVCIMATRequired"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-028"
|
|
Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
|
|
-Name "LsaCfgFlags" `
|
|
| Select-Object -ExpandProperty "LsaCfgFlags"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-029"
|
|
Task = "Set registry value 'ConfigureSystemGuardLaunch' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" `
|
|
-Name "ConfigureSystemGuardLaunch" `
|
|
| Select-Object -ExpandProperty "ConfigureSystemGuardLaunch"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-031"
|
|
Task = "Set registry value 'UseEnhancedPin' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" `
|
|
-Name "UseEnhancedPin" `
|
|
| Select-Object -ExpandProperty "UseEnhancedPin"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-032"
|
|
Task = "Set registry value 'RDVDenyCrossOrg' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" `
|
|
-Name "RDVDenyCrossOrg" `
|
|
| Select-Object -ExpandProperty "RDVDenyCrossOrg"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-033"
|
|
Task = "Set registry value 'DisableExternalDMAUnderLock' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" `
|
|
-Name "DisableExternalDMAUnderLock" `
|
|
| Select-Object -ExpandProperty "DisableExternalDMAUnderLock"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-034"
|
|
Task = "Set registry value 'DCSettingIndex' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" `
|
|
-Name "DCSettingIndex" `
|
|
| Select-Object -ExpandProperty "DCSettingIndex"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-035"
|
|
Task = "Set registry value 'ACSettingIndex' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" `
|
|
-Name "ACSettingIndex" `
|
|
| Select-Object -ExpandProperty "ACSettingIndex"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-036"
|
|
Task = "Set registry value 'DenyDeviceClasses' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" `
|
|
-Name "DenyDeviceClasses" `
|
|
| Select-Object -ExpandProperty "DenyDeviceClasses"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-037"
|
|
Task = "Set registry value 'DenyDeviceClassesRetroactive' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" `
|
|
-Name "DenyDeviceClassesRetroactive" `
|
|
| Select-Object -ExpandProperty "DenyDeviceClassesRetroactive"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-038"
|
|
Task = "Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" `
|
|
-Name "1" `
|
|
| Select-Object -ExpandProperty "1"
|
|
|
|
if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-039"
|
|
Task = "Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" `
|
|
-Name "RDVDenyWriteAccess" `
|
|
| Select-Object -ExpandProperty "RDVDenyWriteAccess"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-040"
|
|
Task = "Set registry value 'AutoConnectAllowedOEM' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\WcmSvc\wifinetworkmanager\config" `
|
|
-Name "AutoConnectAllowedOEM" `
|
|
| Select-Object -ExpandProperty "AutoConnectAllowedOEM"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-041"
|
|
Task = "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" `
|
|
-Name "EnumerateAdministrators" `
|
|
| Select-Object -ExpandProperty "EnumerateAdministrators"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-042"
|
|
Task = "Ensure 'Turn off Autoplay' is set to 'All drives'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
|
|
-Name "NoDriveTypeAutoRun" `
|
|
| Select-Object -ExpandProperty "NoDriveTypeAutoRun"
|
|
|
|
if ($regValue -ne 255) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 255"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-043"
|
|
Task = "Set registry value 'NoWebServices' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
|
|
-Name "NoWebServices" `
|
|
| Select-Object -ExpandProperty "NoWebServices"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-044"
|
|
Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
|
|
-Name "NoAutorun" `
|
|
| Select-Object -ExpandProperty "NoAutorun"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-045"
|
|
Task = "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "MSAOptional" `
|
|
| Select-Object -ExpandProperty "MSAOptional"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-046"
|
|
Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "DisableAutomaticRestartSignOn" `
|
|
| Select-Object -ExpandProperty "DisableAutomaticRestartSignOn"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-047"
|
|
Task = "Set registry value 'LocalAccountTokenFilterPolicy' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "LocalAccountTokenFilterPolicy" `
|
|
| Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-048"
|
|
Task = "Set registry value 'AllowEncryptionOracle' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" `
|
|
-Name "AllowEncryptionOracle" `
|
|
| Select-Object -ExpandProperty "AllowEncryptionOracle"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-049"
|
|
Task = "Set registry value 'EnhancedAntiSpoofing' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures" `
|
|
-Name "EnhancedAntiSpoofing" `
|
|
| Select-Object -ExpandProperty "EnhancedAntiSpoofing"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-050"
|
|
Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" `
|
|
-Name "DisableEnclosureDownload" `
|
|
| Select-Object -ExpandProperty "DisableEnclosureDownload"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-051"
|
|
Task = "Set registry value 'PreventCertErrorOverrides' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings" `
|
|
-Name "PreventCertErrorOverrides" `
|
|
| Select-Object -ExpandProperty "PreventCertErrorOverrides"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-052"
|
|
Task = "Set registry value 'FormSuggest Passwords' to no."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main" `
|
|
-Name "FormSuggest Passwords" `
|
|
| Select-Object -ExpandProperty "FormSuggest Passwords"
|
|
|
|
if ($regValue -ne "no") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: no"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-053"
|
|
Task = "Set registry value 'EnabledV9' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" `
|
|
-Name "EnabledV9" `
|
|
| Select-Object -ExpandProperty "EnabledV9"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-054"
|
|
Task = "Set registry value 'PreventOverride' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" `
|
|
-Name "PreventOverride" `
|
|
| Select-Object -ExpandProperty "PreventOverride"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-055"
|
|
Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" `
|
|
-Name "PreventOverrideAppRepUnknown" `
|
|
| Select-Object -ExpandProperty "PreventOverrideAppRepUnknown"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-056"
|
|
Task = "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" `
|
|
-Name "DCSettingIndex" `
|
|
| Select-Object -ExpandProperty "DCSettingIndex"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-057"
|
|
Task = "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" `
|
|
-Name "ACSettingIndex" `
|
|
| Select-Object -ExpandProperty "ACSettingIndex"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-058"
|
|
Task = "Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" `
|
|
-Name "LetAppsActivateWithVoiceAboveLock" `
|
|
| Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-059"
|
|
Task = "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CloudContent" `
|
|
-Name "DisableWindowsConsumerFeatures" `
|
|
| Select-Object -ExpandProperty "DisableWindowsConsumerFeatures"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-060"
|
|
Task = "Set registry value 'AllowProtectedCreds' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" `
|
|
-Name "AllowProtectedCreds" `
|
|
| Select-Object -ExpandProperty "AllowProtectedCreds"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-061"
|
|
Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'. [Application\MaxSize]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" `
|
|
-Name "MaxSize" `
|
|
| Select-Object -ExpandProperty "MaxSize"
|
|
|
|
if ($regValue -ne 32768) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 32768"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-062"
|
|
Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" `
|
|
-Name "MaxSize" `
|
|
| Select-Object -ExpandProperty "MaxSize"
|
|
|
|
if ($regValue -ne 196608) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 196608"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-063"
|
|
Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'. [System\MaxSize]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" `
|
|
-Name "MaxSize" `
|
|
| Select-Object -ExpandProperty "MaxSize"
|
|
|
|
if ($regValue -ne 32768) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 32768"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-064"
|
|
Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" `
|
|
-Name "NoAutoplayfornonVolume" `
|
|
| Select-Object -ExpandProperty "NoAutoplayfornonVolume"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-065"
|
|
Task = "Set registry value 'AllowGameDVR' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameDVR" `
|
|
-Name "AllowGameDVR" `
|
|
| Select-Object -ExpandProperty "AllowGameDVR"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-066"
|
|
Task = "Ensure 'Configure registry policy processing' is set to '0'. [NoGPOListChanges]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" `
|
|
-Name "NoGPOListChanges" `
|
|
| Select-Object -ExpandProperty "NoGPOListChanges"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-067"
|
|
Task = "Ensure 'Configure registry policy processing' is set to '0'. [NoBackgroundPolicy]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" `
|
|
-Name "NoBackgroundPolicy" `
|
|
| Select-Object -ExpandProperty "NoBackgroundPolicy"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-068"
|
|
Task = "Set registry value 'AlwaysInstallElevated' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" `
|
|
-Name "AlwaysInstallElevated" `
|
|
| Select-Object -ExpandProperty "AlwaysInstallElevated"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-069"
|
|
Task = "Ensure 'Allow user control over installs' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" `
|
|
-Name "EnableUserControl" `
|
|
| Select-Object -ExpandProperty "EnableUserControl"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-070"
|
|
Task = "Set registry value 'DeviceEnumerationPolicy' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" `
|
|
-Name "DeviceEnumerationPolicy" `
|
|
| Select-Object -ExpandProperty "DeviceEnumerationPolicy"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-071"
|
|
Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" `
|
|
-Name "AllowInsecureGuestAuth" `
|
|
| Select-Object -ExpandProperty "AllowInsecureGuestAuth"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-072"
|
|
Task = "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" `
|
|
-Name "NC_ShowSharedAccessUI" `
|
|
| Select-Object -ExpandProperty "NC_ShowSharedAccessUI"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-073"
|
|
Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" `
|
|
-Name "\\*\SYSVOL" `
|
|
| Select-Object -ExpandProperty "\\*\SYSVOL"
|
|
|
|
if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-074"
|
|
Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" `
|
|
-Name "\\*\NETLOGON" `
|
|
| Select-Object -ExpandProperty "\\*\NETLOGON"
|
|
|
|
if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-075"
|
|
Task = "Set registry value 'NoLockScreenCamera' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" `
|
|
-Name "NoLockScreenCamera" `
|
|
| Select-Object -ExpandProperty "NoLockScreenCamera"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-076"
|
|
Task = "Set registry value 'NoLockScreenSlideshow' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" `
|
|
-Name "NoLockScreenSlideshow" `
|
|
| Select-Object -ExpandProperty "NoLockScreenSlideshow"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-077"
|
|
Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging)"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
|
|
-Name "EnableScriptBlockLogging" `
|
|
| Select-Object -ExpandProperty "EnableScriptBlockLogging"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-078"
|
|
Task = "Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging)"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
|
|
-Name "EnableScriptBlockInvocationLogging" `
|
|
| Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-079"
|
|
Task = "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
|
|
-Name "AllowDomainPINLogon" `
|
|
| Select-Object -ExpandProperty "AllowDomainPINLogon"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-080"
|
|
Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
|
|
-Name "EnumerateLocalUsers" `
|
|
| Select-Object -ExpandProperty "EnumerateLocalUsers"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-081"
|
|
Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
|
|
-Name "EnableSmartScreen" `
|
|
| Select-Object -ExpandProperty "EnableSmartScreen"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-082"
|
|
Task = "Set registry value 'ShellSmartScreenLevel' to Block."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" `
|
|
-Name "ShellSmartScreenLevel" `
|
|
| Select-Object -ExpandProperty "ShellSmartScreenLevel"
|
|
|
|
if ($regValue -ne "Block") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: Block"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-083"
|
|
Task = "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" `
|
|
-Name "fBlockNonDomain" `
|
|
| Select-Object -ExpandProperty "fBlockNonDomain"
|
|
|
|
if ($regValue -eq 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-084"
|
|
Task = "Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" `
|
|
-Name "AllowIndexingEncryptedStoresOrItems" `
|
|
| Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-085"
|
|
Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" `
|
|
-Name "AllowDigest" `
|
|
| Select-Object -ExpandProperty "AllowDigest"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-086"
|
|
Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" `
|
|
-Name "AllowUnencryptedTraffic" `
|
|
| Select-Object -ExpandProperty "AllowUnencryptedTraffic"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-087"
|
|
Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" `
|
|
-Name "AllowBasic" `
|
|
| Select-Object -ExpandProperty "AllowBasic"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-088"
|
|
Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" `
|
|
-Name "AllowUnencryptedTraffic" `
|
|
| Select-Object -ExpandProperty "AllowUnencryptedTraffic"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-089"
|
|
Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" `
|
|
-Name "DisableRunAs" `
|
|
| Select-Object -ExpandProperty "DisableRunAs"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-090"
|
|
Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" `
|
|
-Name "AllowBasic" `
|
|
| Select-Object -ExpandProperty "AllowBasic"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-091"
|
|
Task = "Ensure 'Turn off multicast name resolution' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" `
|
|
-Name "EnableMulticast" `
|
|
| Select-Object -ExpandProperty "EnableMulticast"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-092"
|
|
Task = "Set registry value 'DisableWebPnPDownload' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" `
|
|
-Name "DisableWebPnPDownload" `
|
|
| Select-Object -ExpandProperty "DisableWebPnPDownload"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-093"
|
|
Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" `
|
|
-Name "RestrictRemoteClients" `
|
|
| Select-Object -ExpandProperty "RestrictRemoteClients"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-094"
|
|
Task = "Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI'"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "fUseMailto" `
|
|
| Select-Object -ExpandProperty "fUseMailto"
|
|
|
|
return @{
|
|
Message = "Registry value found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Compliant. Registry value not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Compliant. Registry key not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-095"
|
|
Task = "Configure Solicited Remote Assistance to disabled."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "fAllowToGetHelp" `
|
|
| Select-Object -ExpandProperty "fAllowToGetHelp"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-096"
|
|
Task = "Configure Solicited Remote Assistance - Allow helpers to only view the computer."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "fAllowFullControl" `
|
|
| Select-Object -ExpandProperty "fAllowFullControl"
|
|
|
|
return @{
|
|
Message = "Registry value found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Compliant. Registry value not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Compliant. Registry key not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-097"
|
|
Task = "Set registry value 'MaxTicketExpiry' to ."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "MaxTicketExpiry" `
|
|
| Select-Object -ExpandProperty "MaxTicketExpiry"
|
|
|
|
return @{
|
|
Message = "Registry value found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Compliant. Registry value not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Compliant. Registry key not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-098"
|
|
Task = "Set registry value 'MaxTicketExpiryUnits' to ."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "MaxTicketExpiryUnits" `
|
|
| Select-Object -ExpandProperty "MaxTicketExpiryUnits"
|
|
|
|
return @{
|
|
Message = "Registry value found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Compliant. Registry value not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Compliant. Registry key not found."
|
|
Status = "True"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-099"
|
|
Task = "Set registry value 'MinEncryptionLevel' to 3."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "MinEncryptionLevel" `
|
|
| Select-Object -ExpandProperty "MinEncryptionLevel"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-100"
|
|
Task = "Set registry value 'fPromptForPassword' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "fPromptForPassword" `
|
|
| Select-Object -ExpandProperty "fPromptForPassword"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-101"
|
|
Task = "Set registry value 'fDisableCdm' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "fDisableCdm" `
|
|
| Select-Object -ExpandProperty "fDisableCdm"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-102"
|
|
Task = "Set registry value 'DisablePasswordSaving' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "DisablePasswordSaving" `
|
|
| Select-Object -ExpandProperty "DisablePasswordSaving"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-103"
|
|
Task = "Set registry value 'fEncryptRPCTraffic' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" `
|
|
-Name "fEncryptRPCTraffic" `
|
|
| Select-Object -ExpandProperty "fEncryptRPCTraffic"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-105"
|
|
Task = "Domain: Set registry value 'DefaultOutboundAction' to 0."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"
|
|
$key = "DefaultOutboundAction"
|
|
$expectedValue = 0;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-106"
|
|
Task = "Domain: Set registry value 'DisableNotifications' to 1."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"
|
|
$key = "DisableNotifications"
|
|
$expectedValue = 1;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-107"
|
|
Task = "Domain: Set registry value 'EnableFirewall' to 1."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile";
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile";
|
|
$key = "EnableFirewall";
|
|
$expectedValue = 1;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-108"
|
|
Task = "Domain: Set registry value 'DefaultInboundAction' to 1."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"
|
|
$key = "DefaultInboundAction"
|
|
$expectedValue = 1;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-109"
|
|
Task = "Domain: Set registry value 'LogDroppedPackets' to 1."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
|
|
$key = "LogDroppedPackets"
|
|
$expectedValue = 1;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-110"
|
|
Task = "Domain: Set registry value 'LogFileSize' to 16384."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
|
|
$key = "LogFileSize"
|
|
$expectedValue = 16384;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-111"
|
|
Task = "Domain: Set registry value 'LogSuccessfulConnections' to 1."
|
|
Constraints = @(
|
|
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
|
|
)
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
|
|
$key = "LogSuccessfulConnections"
|
|
$expectedValue = 1;
|
|
$profileType = "Domain"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-112"
|
|
Task = "Private: Set registry value 'EnableFirewall' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
|
|
$key = "EnableFirewall"
|
|
$expectedValue = 1;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-113"
|
|
Task = "Private: Set registry value 'DisableNotifications' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
|
|
$key = "DisableNotifications"
|
|
$expectedValue = 1;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-114"
|
|
Task = "Private: Set registry value 'DefaultInboundAction' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
|
|
$key = "DefaultInboundAction"
|
|
$expectedValue = 1;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-115"
|
|
Task = "Private: Set registry value 'DefaultOutboundAction' to 0."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
|
|
$key = "DefaultOutboundAction"
|
|
$expectedValue = 0;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-116"
|
|
Task = "Private: Set registry value 'LogSuccessfulConnections' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
|
|
$key = "LogSuccessfulConnections"
|
|
$expectedValue = 1;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-117"
|
|
Task = "Private: Set registry value 'LogDroppedPackets' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
|
|
$key = "LogDroppedPackets"
|
|
$expectedValue = 1;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-118"
|
|
Task = "Private: Set registry value 'LogFileSize' to 16384."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging"
|
|
$key = "LogFileSize"
|
|
$expectedValue = 16384;
|
|
$profileType = "Private"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-119"
|
|
Task = "Public: Set registry value 'DefaultOutboundAction' to 0."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
|
|
$key = "DefaultOutboundAction"
|
|
$expectedValue = 0;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-120"
|
|
Task = "Public: Set registry value 'EnableFirewall' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
|
|
$key = "EnableFirewall"
|
|
$expectedValue = 1;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-121"
|
|
Task = "Public: Set registry value 'DisableNotifications' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
|
|
$key = "DisableNotifications"
|
|
$expectedValue = 1;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-122"
|
|
Task = "Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
|
|
$key = "AllowLocalIPsecPolicyMerge"
|
|
$expectedValue = 0;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-123"
|
|
Task = "Public: Set registry value 'AllowLocalPolicyMerge' to 0."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
|
|
$key = "AllowLocalPolicyMerge"
|
|
$expectedValue = 0;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-124"
|
|
Task = "Public: Set registry value 'DefaultInboundAction' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
|
|
$key = "DefaultInboundAction"
|
|
$expectedValue = 1;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-125"
|
|
Task = "Public: Set registry value 'LogFileSize' to 16384."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
|
|
$key = "LogFileSize"
|
|
$expectedValue = 16384;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-126"
|
|
Task = "Public: Set registry value 'LogDroppedPackets' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
|
|
$key = "LogDroppedPackets"
|
|
$expectedValue = 1;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-127"
|
|
Task = "Public: Set registry value 'LogSuccessfulConnections' to 1."
|
|
Test = {
|
|
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging"
|
|
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging"
|
|
$key = "LogSuccessfulConnections"
|
|
$expectedValue = 1;
|
|
$profileType = "Public"
|
|
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
|
|
return @{
|
|
Message = $($result.Message)
|
|
Status = $($result.Status)
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-128"
|
|
Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" `
|
|
-Name "AllowWindowsInkWorkspace" `
|
|
| Select-Object -ExpandProperty "AllowWindowsInkWorkspace"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-129"
|
|
Task = "Set registry value 'AdmPwdEnabled' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" `
|
|
-Name "AdmPwdEnabled" `
|
|
| Select-Object -ExpandProperty "AdmPwdEnabled"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-130"
|
|
Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
|
|
-Name "UseLogonCredential" `
|
|
| Select-Object -ExpandProperty "UseLogonCredential"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-131"
|
|
Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" `
|
|
-Name "DisableExceptionChainValidation" `
|
|
| Select-Object -ExpandProperty "DisableExceptionChainValidation"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-132"
|
|
Task = "Set registry value 'DriverLoadPolicy' to 3."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" `
|
|
-Name "DriverLoadPolicy" `
|
|
| Select-Object -ExpandProperty "DriverLoadPolicy"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-133"
|
|
Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
|
|
-Name "SMB1" `
|
|
| Select-Object -ExpandProperty "SMB1"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-134"
|
|
Task = "Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb10" `
|
|
-Name "Start" `
|
|
| Select-Object -ExpandProperty "Start"
|
|
|
|
if ($regValue -ne 4) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 4"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-135"
|
|
Task = "Set registry value 'NoNameReleaseOnDemand' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" `
|
|
-Name "NoNameReleaseOnDemand" `
|
|
| Select-Object -ExpandProperty "NoNameReleaseOnDemand"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-136"
|
|
Task = "Set registry value 'NodeType' to 2."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" `
|
|
-Name "NodeType" `
|
|
| Select-Object -ExpandProperty "NodeType"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-137"
|
|
Task = "Set registry value 'EnableICMPRedirect' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" `
|
|
-Name "EnableICMPRedirect" `
|
|
| Select-Object -ExpandProperty "EnableICMPRedirect"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-138"
|
|
Task = "Set registry value 'DisableIPSourceRouting' to 2. [Tcpip\Parameters\DisableIPSourceRouting]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" `
|
|
-Name "DisableIPSourceRouting" `
|
|
| Select-Object -ExpandProperty "DisableIPSourceRouting"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-139"
|
|
Task = "Set registry value 'DisableIPSourceRouting' to 2. [Tcpip6\Parameters\DisableIPSourceRouting]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" `
|
|
-Name "DisableIPSourceRouting" `
|
|
| Select-Object -ExpandProperty "DisableIPSourceRouting"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-140"
|
|
Task = "Set registry value 'ScRemoveOption' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" `
|
|
-Name "ScRemoveOption" `
|
|
| Select-Object -ExpandProperty "ScRemoveOption"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-141"
|
|
Task = "Set registry value 'InactivityTimeoutSecs' to 900."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "InactivityTimeoutSecs" `
|
|
| Select-Object -ExpandProperty "InactivityTimeoutSecs"
|
|
|
|
if ($regValue -ne 900) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 900"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-142"
|
|
Task = "Set registry value 'NoLMHash' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "NoLMHash" `
|
|
| Select-Object -ExpandProperty "NoLMHash"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-143"
|
|
Task = "Set registry value 'EnablePlainTextPassword' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
|
|
-Name "EnablePlainTextPassword" `
|
|
| Select-Object -ExpandProperty "EnablePlainTextPassword"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-144"
|
|
Task = "Set registry value 'LimitBlankPasswordUse' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "LimitBlankPasswordUse" `
|
|
| Select-Object -ExpandProperty "LimitBlankPasswordUse"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-145"
|
|
Task = "Set registry value 'RestrictAnonymousSAM' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "RestrictAnonymousSAM" `
|
|
| Select-Object -ExpandProperty "RestrictAnonymousSAM"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-146"
|
|
Task = "Set registry value 'RestrictAnonymous' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "RestrictAnonymous" `
|
|
| Select-Object -ExpandProperty "RestrictAnonymous"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-147"
|
|
Task = "Set registry value 'RestrictNullSessAccess' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" `
|
|
-Name "RestrictNullSessAccess" `
|
|
| Select-Object -ExpandProperty "RestrictNullSessAccess"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-148"
|
|
Task = "Set registry value 'SCENoApplyLegacyAuditPolicy' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "SCENoApplyLegacyAuditPolicy" `
|
|
| Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-149"
|
|
Task = "Set registry value 'NTLMMinClientSec' to 537395200."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" `
|
|
-Name "NTLMMinClientSec" `
|
|
| Select-Object -ExpandProperty "NTLMMinClientSec"
|
|
|
|
if ($regValue -ne 537395200) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 537395200"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-150"
|
|
Task = "Set registry value 'LmCompatibilityLevel' to 5."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "LmCompatibilityLevel" `
|
|
| Select-Object -ExpandProperty "LmCompatibilityLevel"
|
|
|
|
if ($regValue -ne 5) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 5"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-151"
|
|
Task = "Set registry value 'allownullsessionfallback' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" `
|
|
-Name "allownullsessionfallback" `
|
|
| Select-Object -ExpandProperty "allownullsessionfallback"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-152"
|
|
Task = "Set registry value 'NTLMMinServerSec' to 537395200."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" `
|
|
-Name "NTLMMinServerSec" `
|
|
| Select-Object -ExpandProperty "NTLMMinServerSec"
|
|
|
|
if ($regValue -ne 537395200) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 537395200"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-153"
|
|
Task = "Set registry value 'requirestrongkey' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
|
|
-Name "requirestrongkey" `
|
|
| Select-Object -ExpandProperty "requirestrongkey"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-154"
|
|
Task = "Set registry value 'RequireSecuritySignature' to 1."
|
|
Test = {
|
|
try {
|
|
if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){
|
|
return @{
|
|
Message = "RequireSecuritySignature is not set to True"
|
|
Status = "False"
|
|
}
|
|
}
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch {
|
|
try{
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
|
|
-Name "RequireSecuritySignature" `
|
|
| Select-Object -ExpandProperty "RequireSecuritySignature"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-155"
|
|
Task = "Set registry value 'sealsecurechannel' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
|
|
-Name "sealsecurechannel" `
|
|
| Select-Object -ExpandProperty "sealsecurechannel"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-156"
|
|
Task = "Set registry value 'requiresignorseal' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
|
|
-Name "requiresignorseal" `
|
|
| Select-Object -ExpandProperty "requiresignorseal"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-157"
|
|
Task = "Set registry value 'signsecurechannel' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" `
|
|
-Name "signsecurechannel" `
|
|
| Select-Object -ExpandProperty "signsecurechannel"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-158"
|
|
Task = "Set registry value 'requiresecuritysignature' to 1."
|
|
Test = {
|
|
try {
|
|
if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){
|
|
return @{
|
|
Message = "RequireSecuritySignature is not set to True"
|
|
Status = "False"
|
|
}
|
|
}
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
catch {
|
|
try{
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" `
|
|
-Name "RequireSecuritySignature" `
|
|
| Select-Object -ExpandProperty "RequireSecuritySignature"
|
|
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See <a href=`"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing#policy-locations-for-smb-signing`">here</a> and <a href=`"https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704`">here</a>"
|
|
Status = "Warning"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-159"
|
|
Task = "Set registry value 'ProtectionMode' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" `
|
|
-Name "ProtectionMode" `
|
|
| Select-Object -ExpandProperty "ProtectionMode"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-160"
|
|
Task = "Set registry value 'ConsentPromptBehaviorAdmin' to 2."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "ConsentPromptBehaviorAdmin" `
|
|
| Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-161"
|
|
Task = "Set registry value 'EnableSecureUIAPaths' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "EnableSecureUIAPaths" `
|
|
| Select-Object -ExpandProperty "EnableSecureUIAPaths"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-162"
|
|
Task = "Set registry value 'EnableLUA' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "EnableLUA" `
|
|
| Select-Object -ExpandProperty "EnableLUA"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-163"
|
|
Task = "Set registry value 'ConsentPromptBehaviorUser' to 0."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "ConsentPromptBehaviorUser" `
|
|
| Select-Object -ExpandProperty "ConsentPromptBehaviorUser"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-164"
|
|
Task = "Set registry value 'EnableInstallerDetection' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "EnableInstallerDetection" `
|
|
| Select-Object -ExpandProperty "EnableInstallerDetection"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-165"
|
|
Task = "Set registry value 'FilterAdministratorToken' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "FilterAdministratorToken" `
|
|
| Select-Object -ExpandProperty "FilterAdministratorToken"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-166"
|
|
Task = "Set registry value 'EnableVirtualization' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
|
|
-Name "EnableVirtualization" `
|
|
| Select-Object -ExpandProperty "EnableVirtualization"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-167"
|
|
Task = "Set registry value 'LDAPClientIntegrity' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" `
|
|
-Name "LDAPClientIntegrity" `
|
|
| Select-Object -ExpandProperty "LDAPClientIntegrity"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-168"
|
|
Task = "Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA)."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
|
|
-Name "RestrictRemoteSAM" `
|
|
| Select-Object -ExpandProperty "RestrictRemoteSAM"
|
|
|
|
if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-223"
|
|
Task = "Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" `
|
|
-Name "DisableThirdPartySuggestions" `
|
|
| Select-Object -ExpandProperty "DisableThirdPartySuggestions"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-224"
|
|
Task = "Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" `
|
|
-Name "NoToastApplicationNotificationOnLockScreen" `
|
|
| Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-225"
|
|
Task = "Set registry value 'FormSuggest Passwords' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" `
|
|
-Name "FormSuggest Passwords" `
|
|
| Select-Object -ExpandProperty "FormSuggest Passwords"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-226"
|
|
Task = "Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" `
|
|
-Name "FormSuggest PW Ask" `
|
|
| Select-Object -ExpandProperty "FormSuggest PW Ask"
|
|
|
|
if ($regValue -ne "no") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: no"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-227"
|
|
Task = "Set registry value 'FormSuggest Passwords' to no."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" `
|
|
-Name "FormSuggest Passwords" `
|
|
| Select-Object -ExpandProperty "FormSuggest Passwords"
|
|
|
|
if ($regValue -ne "no") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: no"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-228"
|
|
Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" `
|
|
-Name "RunThisTimeEnabled" `
|
|
| Select-Object -ExpandProperty "RunThisTimeEnabled"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-229"
|
|
Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" `
|
|
-Name "VersionCheckEnabled" `
|
|
| Select-Object -ExpandProperty "VersionCheckEnabled"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-230"
|
|
Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" `
|
|
-Name "RunInvalidSignatures" `
|
|
| Select-Object -ExpandProperty "RunInvalidSignatures"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-231"
|
|
Task = "Set registry value 'CheckExeSignatures' to yes."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" `
|
|
-Name "CheckExeSignatures" `
|
|
| Select-Object -ExpandProperty "CheckExeSignatures"
|
|
|
|
if ($regValue -ne "yes") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: yes"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-232"
|
|
Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" `
|
|
-Name "Isolation64Bit" `
|
|
| Select-Object -ExpandProperty "Isolation64Bit"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-233"
|
|
Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" `
|
|
-Name "DisableEPMCompat" `
|
|
| Select-Object -ExpandProperty "DisableEPMCompat"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-234"
|
|
Task = "Set registry value 'Isolation' to PMEM."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" `
|
|
-Name "Isolation" `
|
|
| Select-Object -ExpandProperty "Isolation"
|
|
|
|
if ($regValue -ne "PMEM") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: PMEM"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-235"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_DISABLE_MK_PROTOCOL\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-236"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-237"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_DISABLE_MK_PROTOCOL\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-238"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_MIME_HANDLING\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-239"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_MIME_HANDLING\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-240"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_MIME_HANDLING\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-241"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_MIME_SNIFFING\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-242"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_MIME_SNIFFING\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-243"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_MIME_SNIFFING\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-244"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-245"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-246"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-247"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-248"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-249"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-250"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_SECURITYBAND\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-251"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_SECURITYBAND\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-252"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_SECURITYBAND\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-253"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_WINDOW_RESTRICTIONS\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-254"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_WINDOW_RESTRICTIONS\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-255"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_WINDOW_RESTRICTIONS\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-256"
|
|
Task = "Set registry value '(Reserved)' to 1. [FEATURE_ZONE_ELEVATION\(Reserved)]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" `
|
|
-Name "(Reserved)" `
|
|
| Select-Object -ExpandProperty "(Reserved)"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-257"
|
|
Task = "Set registry value 'explorer.exe' to 1. [FEATURE_ZONE_ELEVATION\explorer.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" `
|
|
-Name "explorer.exe" `
|
|
| Select-Object -ExpandProperty "explorer.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-258"
|
|
Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_ZONE_ELEVATION\iexplore.exe]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" `
|
|
-Name "iexplore.exe" `
|
|
| Select-Object -ExpandProperty "iexplore.exe"
|
|
|
|
if ($regValue -ne "1") {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-259"
|
|
Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" `
|
|
-Name "PreventOverrideAppRepUnknown" `
|
|
| Select-Object -ExpandProperty "PreventOverrideAppRepUnknown"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-260"
|
|
Task = "Set registry value 'PreventOverride' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" `
|
|
-Name "PreventOverride" `
|
|
| Select-Object -ExpandProperty "PreventOverride"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-261"
|
|
Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" `
|
|
-Name "EnabledV9" `
|
|
| Select-Object -ExpandProperty "EnabledV9"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-262"
|
|
Task = "Set registry value 'NoCrashDetection' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" `
|
|
-Name "NoCrashDetection" `
|
|
| Select-Object -ExpandProperty "NoCrashDetection"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-263"
|
|
Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" `
|
|
-Name "DisableSecuritySettingsCheck" `
|
|
| Select-Object -ExpandProperty "DisableSecuritySettingsCheck"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-264"
|
|
Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" `
|
|
-Name "BlockNonAdminActiveXInstall" `
|
|
| Select-Object -ExpandProperty "BlockNonAdminActiveXInstall"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-265"
|
|
Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" `
|
|
-Name "OnlyUseAXISForActiveXInstall" `
|
|
| Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-266"
|
|
Task = "Set registry value 'Security_zones_map_edit' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "Security_zones_map_edit" `
|
|
| Select-Object -ExpandProperty "Security_zones_map_edit"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-267"
|
|
Task = "Set registry value 'Security_options_edit' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "Security_options_edit" `
|
|
| Select-Object -ExpandProperty "Security_options_edit"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-268"
|
|
Task = "Set registry value 'Security_HKLM_only' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "Security_HKLM_only" `
|
|
| Select-Object -ExpandProperty "Security_HKLM_only"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-269"
|
|
Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "CertificateRevocation" `
|
|
| Select-Object -ExpandProperty "CertificateRevocation"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-270"
|
|
Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "PreventIgnoreCertErrors" `
|
|
| Select-Object -ExpandProperty "PreventIgnoreCertErrors"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-271"
|
|
Task = "Set registry value 'WarnOnBadCertRecving' to 1."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "WarnOnBadCertRecving" `
|
|
| Select-Object -ExpandProperty "WarnOnBadCertRecving"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-272"
|
|
Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "EnableSSL3Fallback" `
|
|
| Select-Object -ExpandProperty "EnableSSL3Fallback"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-273"
|
|
Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" `
|
|
-Name "SecureProtocols" `
|
|
| Select-Object -ExpandProperty "SecureProtocols"
|
|
|
|
if ($regValue -ne 2560) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2560"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-274"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-275"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-276"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-277"
|
|
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\3]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" `
|
|
-Name "2301" `
|
|
| Select-Object -ExpandProperty "2301"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-278"
|
|
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\4]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" `
|
|
-Name "2301" `
|
|
| Select-Object -ExpandProperty "2301"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-279"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-280"
|
|
Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" `
|
|
-Name "UNCAsIntranet" `
|
|
| Select-Object -ExpandProperty "UNCAsIntranet"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-281"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-282"
|
|
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" `
|
|
-Name "270C" `
|
|
| Select-Object -ExpandProperty "270C"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-283"
|
|
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" `
|
|
-Name "270C" `
|
|
| Select-Object -ExpandProperty "270C"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-284"
|
|
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" `
|
|
-Name "1201" `
|
|
| Select-Object -ExpandProperty "1201"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-285"
|
|
Task = "Ensure 'Java permissions' is set to 'High safety'. [Zones\1\1C00]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 65536) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 65536"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-286"
|
|
Task = "Ensure 'Java permissions' is set to 'High safety'. [Zones\2\1C00]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 65536) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 65536"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-287"
|
|
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" `
|
|
-Name "270C" `
|
|
| Select-Object -ExpandProperty "270C"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-288"
|
|
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" `
|
|
-Name "1201" `
|
|
| Select-Object -ExpandProperty "1201"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-289"
|
|
Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2001" `
|
|
| Select-Object -ExpandProperty "2001"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-290"
|
|
Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2102" `
|
|
| Select-Object -ExpandProperty "2102"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-291"
|
|
Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1802" `
|
|
| Select-Object -ExpandProperty "1802"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-292"
|
|
Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "160A" `
|
|
| Select-Object -ExpandProperty "160A"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-293"
|
|
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1201" `
|
|
| Select-Object -ExpandProperty "1201"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-294"
|
|
Task = "Ensure 'Access data sources across domains' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1406" `
|
|
| Select-Object -ExpandProperty "1406"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-295"
|
|
Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1804" `
|
|
| Select-Object -ExpandProperty "1804"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-296"
|
|
Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2200" `
|
|
| Select-Object -ExpandProperty "2200"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-297"
|
|
Task = "Ensure 'Allow scriptlets' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1209" `
|
|
| Select-Object -ExpandProperty "1209"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-298"
|
|
Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1206" `
|
|
| Select-Object -ExpandProperty "1206"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-299"
|
|
Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1809" `
|
|
| Select-Object -ExpandProperty "1809"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-300"
|
|
Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2500" `
|
|
| Select-Object -ExpandProperty "2500"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-301"
|
|
Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2103" `
|
|
| Select-Object -ExpandProperty "2103"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-302"
|
|
Task = "Ensure 'Userdata persistence' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1606" `
|
|
| Select-Object -ExpandProperty "1606"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-303"
|
|
Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2402" `
|
|
| Select-Object -ExpandProperty "2402"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-304"
|
|
Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2004" `
|
|
| Select-Object -ExpandProperty "2004"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-305"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-306"
|
|
Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1001" `
|
|
| Select-Object -ExpandProperty "1001"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-307"
|
|
Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1A00" `
|
|
| Select-Object -ExpandProperty "1A00"
|
|
|
|
if ($regValue -ne 65536) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 65536"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-308"
|
|
Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2708" `
|
|
| Select-Object -ExpandProperty "2708"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-309"
|
|
Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1004" `
|
|
| Select-Object -ExpandProperty "1004"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-310"
|
|
Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "120b" `
|
|
| Select-Object -ExpandProperty "120b"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-311"
|
|
Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1407" `
|
|
| Select-Object -ExpandProperty "1407"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-312"
|
|
Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1409" `
|
|
| Select-Object -ExpandProperty "1409"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-313"
|
|
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "270C" `
|
|
| Select-Object -ExpandProperty "270C"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-314"
|
|
Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1607" `
|
|
| Select-Object -ExpandProperty "1607"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-315"
|
|
Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2709" `
|
|
| Select-Object -ExpandProperty "2709"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-316"
|
|
Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2101" `
|
|
| Select-Object -ExpandProperty "2101"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-317"
|
|
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\3]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "2301" `
|
|
| Select-Object -ExpandProperty "2301"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-318"
|
|
Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "1806" `
|
|
| Select-Object -ExpandProperty "1806"
|
|
|
|
if ($regValue -ne 1) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 1"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-319"
|
|
Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "120c" `
|
|
| Select-Object -ExpandProperty "120c"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-320"
|
|
Task = "Set registry value '140C' to 3. (Zones\3)"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" `
|
|
-Name "140C" `
|
|
| Select-Object -ExpandProperty "140C"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-321"
|
|
Task = "Ensure 'Allow META REFRESH' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1608" `
|
|
| Select-Object -ExpandProperty "1608"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-322"
|
|
Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1201" `
|
|
| Select-Object -ExpandProperty "1201"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-323"
|
|
Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1001" `
|
|
| Select-Object -ExpandProperty "1001"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-324"
|
|
Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1607" `
|
|
| Select-Object -ExpandProperty "1607"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-325"
|
|
Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "120b" `
|
|
| Select-Object -ExpandProperty "120b"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-326"
|
|
Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1809" `
|
|
| Select-Object -ExpandProperty "1809"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-327"
|
|
Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1004" `
|
|
| Select-Object -ExpandProperty "1004"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-328"
|
|
Task = "Ensure 'Userdata persistence' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1606" `
|
|
| Select-Object -ExpandProperty "1606"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-329"
|
|
Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1407" `
|
|
| Select-Object -ExpandProperty "1407"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-330"
|
|
Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "160A" `
|
|
| Select-Object -ExpandProperty "160A"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-331"
|
|
Task = "Ensure 'Access data sources across domains' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1406" `
|
|
| Select-Object -ExpandProperty "1406"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-332"
|
|
Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2102" `
|
|
| Select-Object -ExpandProperty "2102"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-333"
|
|
Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2004" `
|
|
| Select-Object -ExpandProperty "2004"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-334"
|
|
Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2200" `
|
|
| Select-Object -ExpandProperty "2200"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-335"
|
|
Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2000" `
|
|
| Select-Object -ExpandProperty "2000"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-336"
|
|
Task = "Ensure 'Scripting of Java applets' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1402" `
|
|
| Select-Object -ExpandProperty "1402"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-337"
|
|
Task = "Ensure 'Allow file downloads' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1803" `
|
|
| Select-Object -ExpandProperty "1803"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-338"
|
|
Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2402" `
|
|
| Select-Object -ExpandProperty "2402"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-339"
|
|
Task = "Ensure 'Allow active scripting' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1400" `
|
|
| Select-Object -ExpandProperty "1400"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-340"
|
|
Task = "Ensure 'Logon options' is set to 'Anonymous logon'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1A00" `
|
|
| Select-Object -ExpandProperty "1A00"
|
|
|
|
if ($regValue -ne 196608) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 196608"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-341"
|
|
Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2001" `
|
|
| Select-Object -ExpandProperty "2001"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-342"
|
|
Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2500" `
|
|
| Select-Object -ExpandProperty "2500"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-343"
|
|
Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1409" `
|
|
| Select-Object -ExpandProperty "1409"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-344"
|
|
Task = "Ensure 'Java permissions' is set to 'Disable Java'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1C00" `
|
|
| Select-Object -ExpandProperty "1C00"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-345"
|
|
Task = "Ensure 'Allow scriptlets' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1209" `
|
|
| Select-Object -ExpandProperty "1209"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-346"
|
|
Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "270C" `
|
|
| Select-Object -ExpandProperty "270C"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-347"
|
|
Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1206" `
|
|
| Select-Object -ExpandProperty "1206"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-348"
|
|
Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2708" `
|
|
| Select-Object -ExpandProperty "2708"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-349"
|
|
Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1802" `
|
|
| Select-Object -ExpandProperty "1802"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-350"
|
|
Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2103" `
|
|
| Select-Object -ExpandProperty "2103"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-351"
|
|
Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2709" `
|
|
| Select-Object -ExpandProperty "2709"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-352"
|
|
Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1405" `
|
|
| Select-Object -ExpandProperty "1405"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-353"
|
|
Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2101" `
|
|
| Select-Object -ExpandProperty "2101"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-354"
|
|
Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\4]"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "2301" `
|
|
| Select-Object -ExpandProperty "2301"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-355"
|
|
Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1200" `
|
|
| Select-Object -ExpandProperty "1200"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-356"
|
|
Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1804" `
|
|
| Select-Object -ExpandProperty "1804"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-357"
|
|
Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "1806" `
|
|
| Select-Object -ExpandProperty "1806"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-358"
|
|
Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'."
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "120c" `
|
|
| Select-Object -ExpandProperty "120c"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "Registry-359"
|
|
Task = "Set registry value '140C' to 3. (Zones\4)"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" `
|
|
-Name "140C" `
|
|
| Select-Object -ExpandProperty "140C"
|
|
|
|
if ($regValue -ne 3) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 3"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|