emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
404ee3fec442838b068a79df338bb5074947b599
atap/ATAPAuditor/AuditGroups/RSSeverityTests.ps1
T
emily 404ee3fec4 a
2026-05-11 09:15:08 +02:00

2510 lines
86 KiB
PowerShell
Raw Blame History

$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$windefrunning = CheckWindefRunning
. "$RootPath\Helpers\Firewall.ps1"
$domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole
$listOfWeakCipherSuites = getListOfWeakCipherSuites
$listOfInsecureCipherSuites = getListOfInsecureCipherSuites
[AuditTest] @{
Id = "1.1.7"
Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
if ($null -eq $setPolicy) {
return @{
Message = "Currently not set."
Status = "False"
}
}
$setPolicy = [long]$setPolicy
if ($setPolicy -ne 0) {
return @{
Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
if ($domainRole -eq 3) {
[AuditTest] @{
Id = "2.2.38"
Task = "Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Server" }
)
Test = {
$securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
$currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
$identityAccounts = @(
"S-1-5-32-544"
) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
$unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
$missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
$messages = @()
if ($unexpectedUsers.Count -gt 0) {
$messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
}
if ($missingUsers.Count -gt 0) {
$messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
}
$message = $messages -join [System.Environment]::NewLine
return @{
Status = "False"
Message = $message
}
}
return @{
Status = "True"
Message = "Compliant"
}
}
}
}
if ($domainRole -ge 4) {
[AuditTest] @{
Id = "2.3.5.2"
Task = "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" }
)
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LDAPServerIntegrity" `
| Select-Object -ExpandProperty "LDAPServerIntegrity"
if ($regValue -ne 2) {
return @{
Message = "Registry value is '$regValue'. Expected: 2"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
}
[AuditTest] @{
Id = "2.3.11.4"
Task = "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" `
-Name "SupportedEncryptionTypes" `
| Select-Object -ExpandProperty "SupportedEncryptionTypes"
if (($regValue -ne 2147483644) -and ($regValue -ne 2147483640)) {
return @{
Message = "Registry value is '$regValue'. Expected: x == 2147483644 or x == 2147483640"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.11.5"
Task = "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
-Name "NoLMHash" `
| Select-Object -ExpandProperty "NoLMHash"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "9.1.7"
Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" }
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogDroppedPackets"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "9.1.8"
Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
Constraints = @(
@{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" }
)
Test = {
$path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
$path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"
$key = "LogSuccessfulConnections"
$expectedValue = 1;
$profileType = "Domain"
$result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
return @{
Message = $($result.Message)
Status = $($result.Status)
}
}
}
[AuditTest] @{
Id = "18.3.3"
Task = "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" `
-Name "Start" `
| Select-Object -ExpandProperty "Start"
if ($regValue -ne 4) {
return @{
Message = "Registry value is '$regValue'. Expected: 4"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.3.3"
Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
-Name "SMB1" `
| Select-Object -ExpandProperty "SMB1"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.3.6"
Task = "Ensure 'WDigest Authentication' is set to 'Disabled'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
-Name "UseLogonCredential" `
| Select-Object -ExpandProperty "UseLogonCredential"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.6.2"
Task = "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
-Name "NoWarningNoElevationOnInstall" `
| Select-Object -ExpandProperty "NoWarningNoElevationOnInstall"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.6.3"
Task = "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
-Name "UpdatePromptSettings" `
| Select-Object -ExpandProperty "UpdatePromptSettings"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.9.2"
Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
-Name "DisableRealtimeMonitoring" `
| Select-Object -ExpandProperty "DisableRealtimeMonitoring"
if ($regValue -eq 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 A"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "26190899-1602-49e8-8b27-eb1d0a1ce869"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 B"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "3b576869-a4ec-4529-8536-b80a7769e899"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "3b576869-a4ec-4529-8536-b80a7769e899"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 C"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 D"
Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configured"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 E"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 F"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 G"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 H"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 I"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 J"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "d3e037e1-3eb8-44c8-a917-57927947596d"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 K"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.47.5.1.2 L"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.10.43.6.1.2 M"
Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block abuse of exploited vulnerable signed drivers)"
Test = {
try {
if ((-not $windefrunning)) {
return @{
Message = "This rule requires Windows Defender Antivirus to be enabled."
Status = "None"
}
}
$regValue = 0;
$regValueTwo = 0;
$Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value = "56a863a9-875e-4185-98a7-b882c64b5ce5"
$asrTest1 = Test-ASRRules -Path $Path -Value $Value
if ($asrTest1) {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path $Path `
-Name $Value `
| Select-Object -ExpandProperty $Value
}
$Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
$Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5"
$asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2
if ($asrTest2) {
$regValueTwo = Get-ItemProperty -ErrorAction Stop `
-Path $Path2 `
-Name $Value2 `
| Select-Object -ExpandProperty $Value2
}
if ($regValue -ne 1 -and $regValueTwo -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.58.3.10.1"
Task = "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "MaxIdleTime" `
| Select-Object -ExpandProperty "MaxIdleTime"
if (($regValue -gt 900000 -or $regValue -eq 0)) {
return @{
Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "18.9.58.3.10.2"
Task = "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
-Name "MaxDisconnectionTime" `
| Select-Object -ExpandProperty "MaxDisconnectionTime"
if ($regValue -ne 60000) {
return @{
Message = "Registry value is '$regValue'. Expected: 60000"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.1"
Task = "Disable SSLv2 Protocol (Server)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "Disable SSLv2 Protocol (Server DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "Disable SSLv2 Protocol (Client)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "Disable SSLv2 Protocol (Client DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "Disable SSLv3 Protocol (Server)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "Disable SSLv3 Protocol (Server DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "Disable SSLv3 Protocol (Client)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.2.4"
Task = "Disable SSLv3 Protocol (Client DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.3.1"
Task = "Disable TLS1.0 Protocol (Server)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.3.2"
Task = "Disable TLS1.0 Protocol (Server DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.3.3"
Task = "Disable TLS1.0 Protocol (Client)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.3.4"
Task = "Disable TLS1.0 Protocol (Client DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.4.1"
Task = "Disable TLS1.1 Protocol (Server)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.4.2"
Task = "Disable TLS1.1 Protocol (Server DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.4.3"
Task = "Disable TLS1.1 Protocol (Client)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.4.4"
Task = "Disable TLS1.1 Protocol (Client DisabledByDefault)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.5.1"
Task = "Enable TLS1.2 Protocol (Server)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.5.2"
Task = "Enable TLS1.2 Protocol (Server Default)"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" `
-Name "DisabledByDefault" `
| Select-Object -ExpandProperty "DisabledByDefault"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.1"
Task = "Disable NULL Cipher"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.2"
Task = "Disable DES Cipher Suite"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.1"
Task = "Disable RC4 Cipher Suite - 40/128"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.2"
Task = "Disable RC4 Cipher Suite - 56/128"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.3"
Task = "Disable RC4 Cipher Suite - 64/128"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.3.4"
Task = "Disable RC4 Cipher Suite - 128/128"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.4"
Task = "Disable AES 128/128 Cipher Suite"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.5"
Task = "Enable AES 256/256 Cipher Suite"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -eq 4294967295) {
return @{
Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:<br/>"`
+ '<a href="https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings">'`
+ 'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings<a/>'
Status = "False"
}
}
if ($regValue -ne 1) {
return @{
Message = "Registry value is '$regValue'. Expected: 1"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "2.6"
Task = "Disable Triple DES Cipher Suite"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.1"
Task = "Disable SHA-1 hash"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.2"
Task = "Disable MD5 hash"
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" `
-Name "Enabled" `
| Select-Object -ExpandProperty "Enabled"
if ($regValue -ne 0) {
return @{
Message = "Registry value is '$regValue'. Expected: 0"
Status = "False"
}
}
}
catch [System.Management.Automation.PSArgumentException] {
return @{
Message = "Registry value not found."
Status = "False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return @{
Message = "Registry key not found."
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.1"
Task = "Configure Cipher Suite Ordering"
Test = {
#check if correct type
$typeTable = @{
"String" = "String Value"
"Byte" = "Byte Value"
"Int32" = "DWORD (32-bit) Value"
"Int64" = "QWORD (64-bit) Value"
"String[]" = "Multi-String Value"
}
#Default status
$status = "Error"
#Output
$verbInsecure = "rules have"
$verbWeak = "rules have"
try {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" `
-Name "Functions"
$reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
$res = $regValue.Functions.GetType().Name
$currentType = $typeTable[$res]
if ($res -ne [String]) {
return @{
Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'"
Status = "False"
}
}
#check if insecure or weak cipher is inside value
$regValues = $regValue.Split(',')
$regValues = $regValues -replace ' ', ''
$weakRulesFound = @()
$insecureRulesFound = @()
foreach ($element in $regValues) {
if ($listOfWeakCipherSuites.Contains($element)) {
$weakRulesFound += $element
}
if ($listOfInsecureCipherSuites.Contains($element)) {
$insecureRulesFound += $element
}
}
if ($insecureRulesFound.Count -eq 1) { $verbInsecure = "rule has" }
if ($weakRulesFound.Count -eq 1) { $verbWeak = "rule has" }
$insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules: <br/>"
$weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules: <br/>"
#Preparing message
foreach ($member in $weakRulesFound) {
$status = "Warning"
$weakMessage += "$($member)<br/>"
}
foreach ($member in $insecureRulesFound) {
$status = "False"
$insecureMessage += "$($member)<br/>"
}
#Combine or shorten message
if ($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0) {
$message = ""
if ($weakRulesFound.Count -eq 0) { $weakMessage = "" }
if ($insecureRulesFound.Count -eq 0) { $insecureMessage = "" }
$message = $insecureMessage + $weakMessage
return @{
Message = $message
Status = $status
}
}
}
catch {
$regValue = Get-ItemProperty -ErrorAction Stop `
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" `
-Name "Functions"
$reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
$res = $regValue.Functions.GetType().Name
$currentType = $typeTable[$res]
if ($res -ne [String[]]) {
return @{
Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'"
Status = "False"
}
}
#check if insecure or weak cipher is inside value
$regValues = $regValue -replace ' ', ''
$weakRulesFound = @()
$insecureRulesFound = @()
foreach ($element in $regValues) {
if ($listOfWeakCipherSuites.Contains($element)) {
$weakRulesFound += $element
}
if ($listOfInsecureCipherSuites.Contains($element)) {
$insecureRulesFound += $element
}
}
if ($insecureRulesFound.Count -eq 1) { $verbInsecure = "rule has" }
if ($weakRulesFound.Count -eq 1) { $verbWeak = "rule has" }
$insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules: <br/>"
$weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules: <br/>"
#Preparing message
foreach ($member in $weakRulesFound) {
$status = "Warning"
$weakMessage += "$($member)<br/>"
}
foreach ($member in $insecureRulesFound) {
$status = "False"
$insecureMessage += "$($member)<br/>"
}
#Combine or shorten message
if ($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0) {
$message = ""
if ($weakRulesFound.Count -eq 0) { $weakMessage = "" }
if ($insecureRulesFound.Count -eq 0) { $insecureMessage = "" }
$message = $insecureMessage + $weakMessage
return @{
Message = $message
Status = $status
}
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
Reference in New Issue View Git Blame Copy Permalink