-
Notifications
You must be signed in to change notification settings - Fork 0
threatmodel Windows EN
- EDAMAME helper inactive
- Cached logon credentials enabled
- No antivirus enabled
- Disk encryption disabled
- User Account Control disabled
- Automatic logon enabled
- Potentially compromised email address
- Unverified or unsafe network environment
- Windows Script Host enabled
- Remote Desktop Protocol (RDP) enabled
- Windows Update disabled
- Guest account enabled
- Built-in Administrator account enabled
- Windows Firewall disabled
- Remote Registry Service enabled
- LM and NTLMv1 protocols enabled
- Lsass.exe process protection not enabled
- PowerShell execution policy not securely configured
- Chrome browser not up to date
- SMBv1 Protocol Enabled
- No sign-in options enabled
- Windows Hello is not available
- Screensaver lock is not properly configured
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | helper_check |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | https://github.com/edamametechnologies/edamame_helper/releases/download |
https://www.youtube.com/watch?v=xORy1bFBKCI
Dimension : credentials / Severity : 4
Tags : ISO 27001/2,Access Control, PCI-DSS,Requirement-8.2.3, SOC 2,CC-Logical Access Controls
Cached logon credentials are a security risk as they can be used by attackers to gain access to your system. They are stored on your system and can be retrieved by attackers who gain access to your computer or network. We recommend disabling cached logon credentials to increase the security of your system.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if(((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -Name 'DisablePasswordCaching' -ErrorAction SilentlyContinue).DisablePasswordCaching) -ne 1) { 'Password caching is not disabled' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 1 /f |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 0 /f |
Dimension : applications / Severity : 5
Tags : CIS Benchmark Level 1,Security Configuration Benchmarks, ISO 27001/2,Malware Protection, PCI-DSS,Requirement-5, SOC 2,CC-Malware Protection
You don't have any antivirus installed (Windows Defender, Sentinel One...). We recommend you to enable one.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | Function Get-AVStatus { [cmdletbinding()] Param() Process { $AV = Get-CimInstance -Namespace 'root/SecurityCenter2' -ClassName 'AntivirusProduct'; $enabledAVs = $AV | Where-Object { $productState = '0x{0:x}' -f $_.ProductState; $enabled = $productState.Substring(3, 2) -match '10|11'; return $enabled }; if (-not $enabledAVs) { Write-Output 'epp_disabled' } } }; Get-AVStatus |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | ms-settings:windowsdefender |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | ms-settings:windowsdefender |
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,windows_security/bitlocker_enforce, ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-3.4, SOC 2,CC-Data Protection
Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | admin | if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notmatch 'Virtual') { if ((Get-BitLockerVolume).ProtectionStatus -eq 'Off') { Write-Output 'File system not encrypted' } } |
https://www.youtube.com/watch?v=PtMyu9xrJ_E
https://www.youtube.com/watch?v=lY0Iz0NpAoU
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 2,Section: 1.1.1, ISO 27001/2,Control: A.9.4.4, PCI-DSS,Requirement-7.1, SOC 2,CC-User Access
User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes to your computer. If UAC is disabled, it's easier for malware to make changes to your system without your knowledge. You should enable UAC to protect your system from such attacks.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -ErrorAction SilentlyContinue).EnableLUA -eq 0) { 'UAC disabled' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1 -Type DWord |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 0 -Type DWord |
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 2,Section: 2.3.1.1, ISO 27001/2,Control: A.9.3.1, PCI-DSS,Requirement-8.1.5, SOC 2,CC-User Authentication
Automatic logon allows the system to automatically log on a user after booting up. This can be a security risk if the system is not physically secured as anyone can access the system without providing any credentials. It is recommended to disable automatic logon.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -ErrorAction SilentlyContinue).AutoAdminLogon -eq '1') { 'Automatic logon enabled' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value 0 |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value 1 |
Dimension : credentials / Severity : 1
Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture
Check if your email address might have recently appeared in a data breach.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | pwned -i 365 |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | digitalidentity_manager |
https://haveibeenpwned.com/
Dimension : network / Severity : 1
Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | lanscan |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | network_manager |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | network_manager |
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Section: 9.1.2, ISO 27001/2,Control: A.12.2.1, PCI-DSS,Requirement-2.2.2, SOC 2,CC-Malicious Code Prevention
Windows Script Host is a built-in Windows scripting environment that allows running of VBScript, JScript, and other scripting languages. Disabling it can help mitigate some types of malware attacks.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings' -Name Enabled -ErrorAction SilentlyContinue).Enabled -eq 1) { 'Windows Script Host enabled' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\'Windows Script Host'\Settings /v Enabled /t REG_DWORD /d 0 /f |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\'Windows Script Host'\Settings /v Enabled /t REG_DWORD /d 1 /f |
Dimension : network / Severity : 4
Tags : CIS Benchmark Level 1,Section: 8.1.1, ISO 27001/2,Control: A.13.7.1, PCI-DSS,Requirement-2.3, SOC 2,CC-Network Security
RDP allows users to remotely access and control a Windows computer from another location. While this can be convenient, it also presents a significant security risk if left enabled and unprotected. An attacker could potentially gain access to your computer and compromise your sensitive data or even take control of your system.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -ErrorAction SilentlyContinue).fDenyTSConnections -eq 0) { 'Terminal Services connections allowed' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 1 |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0 |
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Section: 2.3.1, ISO 27001/2,Control: A.12.6.1, PCI-DSS,Requirement-6.1, SOC 2,CC-System Monitoring
Disabling Windows Update prevents critical security patches and updates from being installed on your system, leaving your system vulnerable to known exploits and threats. It is highly recommended that you enable Windows Update to ensure your system is up to date with the latest security patches.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'; $noAutoUpdate = (Get-ItemProperty -Path $registryPath -Name NoAutoUpdate -ErrorAction SilentlyContinue).NoAutoUpdate; $useWUServer = (Get-ItemProperty -Path $registryPath -Name UseWUServer -ErrorAction SilentlyContinue).UseWUServer; Write-Output ($(if ($noAutoUpdate -eq 0 -or $useWUServer -eq 1) { '' } else { $messages = @(); if ($noAutoUpdate -ne 0) {$messages += 'NoAutoUpdate is set.'}; if ($useWUServer -ne 1) {$messages += 'Updates are not managed through GPO.'}; $messages -join ' ' })) |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 0 /f |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f |
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Section: 1.1.2, ISO 27001/2,Control: A.9.2.1, PCI-DSS,Requirement-8.1.6, SOC 2,CC-User Access
The Guest account is a default account in Windows, which allows users to access the system with limited privileges. It's recommended to disable this account to prevent unauthorized access to your system and data.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if ($guestAccount.Enabled) {'Guest account is active'} else {''} |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if ($guestAccount.Enabled) {Disable-LocalUser -Name $guestAccount.Name} |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if (-not $guestAccount.Enabled) {Enable-LocalUser -Name $guestAccount.Name} |
Dimension : credentials / Severity : 5
Tags : CIS Benchmark Level 1,Section: 1.1.1, ISO 27001/2,Control: A.9.4.2, PCI-DSS,Requirement-2.3, SOC 2,CC-User Access
The Built-in Administrator account is a powerful account that has full access to the system. Having this account enabled is a security risk as it is a common target for attackers. It should be disabled unless it is absolutely necessary to enable it.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if ($adminAccount.Enabled) {'Built-in Administrator account enabled'} else {''} |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if ($adminAccount.Enabled) {Disable-LocalUser -Name $adminAccount.Name} |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if (-not $adminAccount.Enabled) {Enable-LocalUser -Name $adminAccount.Name} |
Dimension : network / Severity : 5
Tags : CIS Benchmark Level 1,Section: 9.3.1, ISO 27001/2,Control: A.13.1.1, PCI-DSS,Requirement-1.4, SOC 2,CC-Network Security
Windows Firewall is a built-in feature of Windows that helps to protect your computer from unauthorized access. When it's disabled, your computer is vulnerable to attacks from the network. We recommend that you enable it.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-NetFirewallProfile -All | Where-Object { $_.Enabled -eq 'False' })) { 'One or more firewall profiles are disabled' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False |
Dimension : system services / Severity : 3
Tags : CIS Benchmark Level 1,Section: 2.2.4, ISO 27001/2,Control: A.9.4.1, PCI-DSS,Requirement-2.2, SOC 2,CC-System Configuration and Maintenance
The Remote Registry Service allows remote access to the Windows Registry. This can be a security risk if not properly secured.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-Service -Name RemoteRegistry).Status -eq 'Running') { 'RemoteRegistry service is running' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | (sc.exe config RemoteRegistry start= disabled) -and (sc.exe stop RemoteRegistry) |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | (sc.exe config RemoteRegistry start= auto) -and (sc.exe start RemoteRegistry) |
Dimension : credentials / Severity : 5
Tags : CIS Benchmark Level 1,Section: 2.3.11.9, ISO 27001/2,Control: A.9.2.3, PCI-DSS,Requirement-8.2.1, SOC 2,CC-User Authentication
The LM and NTLMv1 protocols are outdated and insecure authentication protocols. They should be disabled to prevent potential security threats. Leaving these protocols enabled can allow attackers to potentially crack passwords and gain unauthorized access to sensitive information.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 0 | Command line | user | if(((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -ErrorAction SilentlyContinue).LMCompatibilityLevel -lt 5) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -ErrorAction SilentlyContinue).NtlmMinClientSec -lt 537395200) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -ErrorAction SilentlyContinue).NtlmMinServerSec -lt 537395200)) { 'Weak NTLM settings' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 0 | Command line | system | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LMCompatibilityLevel' -Value '5' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinClientSec' -Value '537395200' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinServerSec' -Value '537395200' -Type DWord |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 0 | Command line | system | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LmCompatibilityLevel' -Value '1' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinClientSec' -Value '262144' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinServerSec' -Value '537395200' -Type DWord |
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Section: 2.2.39, ISO 27001/2,Control: A.12.1.2, PCI-DSS,Requirement-6.2, SOC 2,CC-System Integrity
Lsass.exe is a critical system process that handles user authentication. It contains sensitive information such as passwords and security tokens. If this process is compromised, it could lead to a security breach. Enabling Lsass.exe process protection helps prevent attacks against this process. This content will show you how to enable Lsass.exe process protection.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL -eq 0) { 'RunAsPPL is a REG_DWORD with value 0' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f |
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Section: 1.1.3, ISO 27001/2,Control: A.12.4.2, PCI-DSS,Requirement-2.2.4, SOC 2,CC-System Hardening
PowerShell is a powerful command-line tool that is built into Windows, and is often used by attackers to carry out malicious activities. The execution policy determines which scripts are allowed to run on a Windows system. If the execution policy is set to Unrestricted, it could allow an attacker to run malicious scripts on your system.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $currentUserPolicy= Get-ExecutionPolicy -Scope CurrentUser; if($currentUserPolicy -eq 'Unrestricted') { 'Execution Policy is unrestricted' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | restart | Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser -Force |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | restart | Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force |
Dimension : applications / Severity : 3
Tags : ISO 27001/2,Application Security, PCI-DSS,Requirement-6, SOC 2,CC-System Operations
Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $path = 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome'; if (Test-Path $path) { $local_version = (Get-ItemProperty -Path $path).DisplayVersion; $web_content = Invoke-WebRequest -UseBasicParsing 'https://chromiumdash.appspot.com/fetch_releases?channel=Stable&platform=Windows&num=1'; $latest_version = ($web_content.Content | ConvertFrom-Json)[0].version; if ([version]$latest_version -le [version]$local_version) { Write-Output '' } else { Write-Output 'Chrome is not up to date (Installed: $local_version, Latest: $latest_version)'; } } else { Write-Output '' } |
https://support.google.com/chrome/answer/95414?hl=en
https://support.google.com/chrome/a/answer/6350036?hl=en
Dimension : network / Severity : 5
Tags : CIS Benchmark Level 1,windows_security/smb1_protocol_disabled
The SMBv1 protocol is enabled on your system. This protocol is outdated and has known vulnerabilities that can allow attackers to take over your system. It should be disabled to improve your system's security.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if((Get-SmbServerConfiguration).EnableSMB1Protocol -eq $true) { 'SMBv1 enabled' } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | restart | Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | restart | Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart |
Dimension : credentials / Severity : 5
Your system currently does not have any sign-in options enabled. It is important to enable sign-in options like passwords, PIN, or Windows Hello to ensure your device is securely protected.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $lastLoggedOnProvider = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI' -Name 'LastLoggedOnProvider' -ErrorAction SilentlyContinue).LastLoggedOnProvider; if ($null -eq $lastLoggedOnProvider) { 'Registry entry not present' } elseif ($lastLoggedOnProvider -like '*NgcPin*') { $pinLength = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity' -Name 'MinimumPINLength' -ErrorAction SilentlyContinue).MinimumPINLength; if ($pinLength -lt 6) { 'Windows Hello PIN does not meet the minimum length requirement.' } else { '' } } else { '' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | ms-settings:signinoptions |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | ms-settings:signinoptions |
Dimension : credentials / Severity : 5
Windows Hello, a crucial security feature, is not available on your system. Enabling it provides advanced security mechanisms such as PIN and biometric authentication.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | if (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Ngc\Status') { '' } else { 'Windows Hello is not available.' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | ms-settings:signinoptions |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | ms-settings:signinoptions |
Dimension : system integrity / Severity : 4
The screensaver lock settings are not properly configured. Ensuring a secure and active screensaver with a reasonable timeout enhances the physical security of your system.
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | user | $screensaverTimeout = (Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveTimeOut' -ErrorAction SilentlyContinue).ScreenSaveTimeOut; $screensaverActive = (Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveActive' -ErrorAction SilentlyContinue).ScreenSaveActive; $secureScreensaver = (Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaverIsSecure' -ErrorAction SilentlyContinue).ScreenSaverIsSecure; if ($screensaverActive -eq '1' -and $secureScreensaver -eq '1' -and $screensaverTimeout -le 600) { '' } else { 'Screensaver lock is not properly configured.' } |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | system | Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveTimeOut' -Value 600; Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveActive' -Value 1; Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaverIsSecure' -Value 1 |
Tested for | Action | Elevation | Script |
---|---|---|---|
Windows 10 | Command line | ms-settings:lockscreen |