From 419ff29adeb88691ff35618d8f9fb7df647b7fc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benedikt=20B=C3=B6hme?= Date: Tue, 21 Apr 2020 17:07:25 +0200 Subject: [PATCH] version 4.0 release --- ATAPAuditor/ATAPAuditor.psd1 | 45 + ATAPAuditor/ATAPAuditor.psm1 | 308 + ...ogle Chrome-CIS-2.0.0#RegistrySettings.ps1 | 2186 +++ ...gle Chrome-DISA-V1R15#RegistrySettings.ps1 | 1296 ++ ...rosoft IE11-CIS-1.0.0#RegistrySettings.ps1 | 4534 +++++ ...osoft IE11-DISA-V1R16#RegistrySettings.ps1 | 4968 ++++++ ... 2016 Excel-DISA-V1R2#RegistrySettings.ps1 | 1502 ++ ...016 Outlook-DISA-V1R2#RegistrySettings.ps1 | 1980 +++ ... PowerPoint-DISA-V1R1#RegistrySettings.ps1 | 1322 ++ ...ForBusiness-DISA-V1R1#RegistrySettings.ps1 | 108 + ...e 2016 Word-DISA-V1R1#RegistrySettings.ps1 | 1254 ++ ...dows 10 GDPR-BSI-V1.1#RegistrySettings.ps1 | 144 + ...s 10 GDPR-MS-16082019#RegistrySettings.ps1 | 4138 +++++ ...t Windows 10-CIS-1.8.1#AccountPolicies.ps1 | 234 + ...oft Windows 10-CIS-1.8.1#AuditPolicies.ps1 | 1616 ++ ... Windows 10-CIS-1.8.1#RegistrySettings.ps1 | 14348 ++++++++++++++++ ...rosoft Windows 10-CIS-1.8.1#UserRights.ps1 | 1267 ++ ... Windows 10-DISA-V1R16#AccountPolicies.ps1 | 234 + ...ws 10-DISA-V1R16#FileSystemPermissions.ps1 | 208 + ...dows 10-DISA-V1R16#RegistryPermissions.ps1 | 199 + ...Windows 10-DISA-V1R16#RegistrySettings.ps1 | 3996 +++++ ...osoft Windows 10-DISA-V1R16#UserRights.ps1 | 1155 ++ ... 10-DISA-V1R16#WindowsOptionalFeatures.ps1 | 76 + ... Server 2016-CIS-1.1.0#AccountPolicies.ps1 | 234 + ...ws Server 2016-CIS-1.1.0#AuditPolicies.ps1 | 1673 ++ ...Server 2016-CIS-1.1.0#RegistrySettings.ps1 | 439 + ...ndows Server 2016-CIS-1.1.0#UserRights.ps1 | 1409 ++ ... Server 2016-DISA-V1R6#AccountPolicies.ps1 | 286 + ...r 2016-DISA-V1R6#FileSystemPermissions.ps1 | 474 + ...ver 2016-DISA-V1R6#RegistryPermissions.ps1 | 200 + ...Server 2016-DISA-V1R6#RegistrySettings.ps1 | 3808 ++++ ...ndows Server 2016-DISA-V1R6#UserRights.ps1 | 1611 ++ ... Server 2016-DISA-V1R6#WindowsFeatures.ps1 | 152 + ... Server 2019-CIS-1.1.0#AccountPolicies.ps1 | 234 + ...ws Server 2019-CIS-1.1.0#AuditPolicies.ps1 | 2015 +++ ...Server 2019-CIS-1.1.0#RegistrySettings.ps1 | 9351 ++++++++++ ...ndows Server 2019-CIS-1.1.0#UserRights.ps1 | 1585 ++ ... Server 2019-DISA-V1R2#AccountPolicies.ps1 | 260 + ...r 2019-DISA-V1R2#FileSystemPermissions.ps1 | 366 + ...ver 2019-DISA-V1R2#RegistryPermissions.ps1 | 200 + ...Server 2019-DISA-V1R2#RegistrySettings.ps1 | 3444 ++++ ...ndows Server 2019-DISA-V1R2#UserRights.ps1 | 1222 ++ ... Server 2019-DISA-V1R2#WindowsFeatures.ps1 | 152 + ATAPAuditor/Helpers/LogFile.ps1 | 94 + ATAPAuditor/Helpers/SecurityPolicy.psm1 | 28 + ATAPAuditor/Reports/Google Chrome.ps1 | 30 + ATAPAuditor/Reports/Microsoft IE11.ps1 | 30 + .../Reports/Microsoft IIS10.ps1 | 848 +- .../Reports/Microsoft Office 2016 Excel.ps1 | 17 + .../Reports/Microsoft Office 2016 Outlook.ps1 | 17 + .../Microsoft Office 2016 PowerPoint.ps1 | 17 + ...Microsoft Office 2016 SkypeForBusiness.ps1 | 17 + .../Reports/Microsoft Office 2016 Word.ps1 | 17 + ATAPAuditor/Reports/Microsoft Office 2016.ps1 | 33 + .../Reports/Microsoft SQL Server 2016.ps1 | 582 +- .../Reports/Microsoft Windows 10 GDPR.ps1 | 30 + ATAPAuditor/Reports/Microsoft Windows 10.ps1 | 66 + .../Reports/Microsoft Windows Server 2016.ps1 | 71 + .../Reports/Microsoft Windows Server 2019.ps1 | 67 + ATAPAuditor/Reports/Mozilla Firefox.ps1 | 863 + ATAPAuditor/Resources/FirefoxPreferences.ps1 | 60 + .../Resources/WindowsSecurityPolicy.ps1 | 41 + ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 | 42 +- ATAPHtmlReport/ATAPHtmlReport.psd1 | 2 +- ATAPHtmlReport/ATAPHtmlReport.psm1 | 549 +- CHANGELOG.md | 81 + Excel2016Audit/Excel2016Audit.psd1 | 148 - Excel2016Audit/Excel2016Audit.psm1 | 429 - .../MS_Excel_2016_DISA_STIG_V1R2.psd1 | 308 - Excel2016Audit/README.md | 34 - Excel2016Audit/Settings.psd1 | 49 - GoogleChromeAudit/GoogleChromeAudit.psd1 | 148 - GoogleChromeAudit/GoogleChromeAudit.psm1 | 430 - .../Google_Chrome_DISA_STIG_V1R15.psd1 | 295 - GoogleChromeAudit/README.md | 36 - GoogleChromeAudit/Settings.psd1 | 49 - IIS10Audit/IIS10Audit.psd1 | 149 - IIS10Audit/README.md | 40 - IIS10Audit/Sample/report.dark.html | 49 - IIS10Audit/Sample/report.html | 49 - IIS10Audit/Settings.psd1 | 35 - IIS8Audit/IIS8Audit.psd1 | 149 - IIS8Audit/IIS8Audit.psm1 | 2803 --- IIS8Audit/LogFileModule.psm1 | 148 - IIS8Audit/README.md | 50 - IIS8Audit/Sample/report.dark.html | Bin 136844 -> 0 bytes IIS8Audit/Sample/report.html | Bin 136868 -> 0 bytes IIS8Audit/Settings.psd1 | 46 - .../MS_IE_11_DISA_STIG_V1R16.psd1 | 974 -- MicrosoftIE11Audit/MicrosoftIE11Audit.psd1 | 148 - MicrosoftIE11Audit/MicrosoftIE11Audit.psm1 | 428 - MicrosoftIE11Audit/README.md | 36 - MicrosoftIE11Audit/Sample/report.dark.html | 1 - MicrosoftIE11Audit/Sample/report.html | 1 - MicrosoftIE11Audit/Settings.psd1 | 49 - MozillaFirefoxAudit/MozillaFirefoxAudit.psd1 | 148 - MozillaFirefoxAudit/MozillaFirefoxAudit.psm1 | 715 - .../Mozilla_FireFox_DISA_STIG_V4R24.psd1 | 117 - ...zilla_Firefox_38_ESR_Benchmark_v1.0.0.psd1 | 332 - MozillaFirefoxAudit/README.md | 37 - MozillaFirefoxAudit/Settings.psd1 | 49 - .../MS_Outlook_2016_DISA_STIG_V1R2.psd1 | 412 - Outlook2016Audit/Outlook2016Audit.psd1 | 148 - Outlook2016Audit/Outlook2016Audit.psm1 | 428 - Outlook2016Audit/README.md | 34 - Outlook2016Audit/Settings.psd1 | 49 - .../MS_Powerpoint_2016_DISA_STIG_V1R1.psd1 | 273 - Powerpoint2016Audit/Powerpoint2016Audit.psd1 | 148 - Powerpoint2016Audit/Powerpoint2016Audit.psm1 | 429 - Powerpoint2016Audit/README.md | 34 - Powerpoint2016Audit/Settings.psd1 | 49 - README.md | 159 +- SQL2016Benchmarks/README.md | 40 - SQL2016Benchmarks/SQL2016Benchmarks.psd1 | 146 - SQL2016Benchmarks/Sample/myReport.html | 7 - SQL2016Benchmarks/Settings.psd1 | 51 - .../GoogleChrome.dark.html | 0 .../report.html => Samples/GoogleChrome.html | 0 .../MozillaFirefox.dark.html | 0 .../MozillaFirefox.html | 0 .../Office2016.dark.html | 0 .../Office2016Excel.dark.html | 0 .../Office2016Outlook.dark.html | 0 .../Office2016Outlook.html | 0 .../Office2016PowerPoint.dark.html | 0 .../Office2016PowerPoint.html | 0 .../Office2016SkypeForBusiness.dark.html | 0 .../Office2016SkypeForBusiness.html | 0 .../Office2016Word.dark.html | 0 .../Office2016Word.html | 0 .../Windows10.html | 2 +- ...MS_Skype4Business_2016_DISA_STIG_V1R1.psd1 | 28 - Skype4Business2016Audit/README.md | 34 - Skype4Business2016Audit/Settings.psd1 | 49 - .../Skype4Business2016Audit.psd1 | 148 - .../Skype4Business2016Audit.psm1 | 429 - Windows10Audit/README.md | 37 - Windows10Audit/Settings.psd1 | 49 - Windows10Audit/Win10_CIS_V1.4.0.psd1 | 8341 --------- Windows10Audit/Win10_DISA_V1R16.psd1 | 1394 -- Windows10Audit/Windows10Audit.psd1 | 150 - Windows10Audit/Windows10Audit.psm1 | 1820 -- Windows10GDPRAudit/README.md | 37 - Windows10GDPRAudit/Sample/sample_report.html | 1 - Windows10GDPRAudit/Windows10GDPRAudit.psd1 | 71 - Windows10GDPRAudit/Windows10GDPRAudit.psm1 | 4602 ----- WindowsServer2016Audit/CISBenchmarks.psd1 | 1812 -- WindowsServer2016Audit/DISARequirements.psd1 | 1542 -- WindowsServer2016Audit/README.md | 37 - .../Sample/report.dark.html | 1 - WindowsServer2016Audit/Sample/report.html | 1 - WindowsServer2016Audit/Settings.psd1 | 52 - .../WindowsServer2016Audit.psd1 | 150 - .../WindowsServer2016Audit.psm1 | 1910 -- .../MS_Word_2016_DISA_STIG_V1R1.psd1 | 256 - Word2016Audit/README.md | 34 - Word2016Audit/Settings.psd1 | 49 - Word2016Audit/Word2016Audit.psd1 | 148 - Word2016Audit/Word2016Audit.psm1 | 440 - 159 files changed, 78862 insertions(+), 35483 deletions(-) create mode 100644 ATAPAuditor/ATAPAuditor.psd1 create mode 100644 ATAPAuditor/ATAPAuditor.psm1 create mode 100644 ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft IE11-CIS-1.0.0#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft IE11-DISA-V1R16#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Office 2016 Excel-DISA-V1R2#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Office 2016 Outlook-DISA-V1R2#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Office 2016 PowerPoint-DISA-V1R1#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Office 2016 SkypeForBusiness-DISA-V1R1#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Office 2016 Word-DISA-V1R1#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-BSI-V1.1#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AccountPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AuditPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#UserRights.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#AccountPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#FileSystemPermissions.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistryPermissions.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#UserRights.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#WindowsOptionalFeatures.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AccountPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AuditPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#UserRights.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#AccountPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#FileSystemPermissions.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistryPermissions.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#UserRights.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#WindowsFeatures.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AccountPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AuditPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#UserRights.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#AccountPolicies.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#FileSystemPermissions.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistryPermissions.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistrySettings.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#UserRights.ps1 create mode 100644 ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#WindowsFeatures.ps1 create mode 100644 ATAPAuditor/Helpers/LogFile.ps1 create mode 100644 ATAPAuditor/Helpers/SecurityPolicy.psm1 create mode 100644 ATAPAuditor/Reports/Google Chrome.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft IE11.ps1 rename IIS10Audit/IIS10Audit.psm1 => ATAPAuditor/Reports/Microsoft IIS10.ps1 (80%) create mode 100644 ATAPAuditor/Reports/Microsoft Office 2016 Excel.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Office 2016 Outlook.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Office 2016 PowerPoint.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Office 2016 SkypeForBusiness.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Office 2016 Word.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Office 2016.ps1 rename SQL2016Benchmarks/SQL2016Benchmarks.psm1 => ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 (85%) create mode 100644 ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Windows 10.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 create mode 100644 ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 create mode 100644 ATAPAuditor/Reports/Mozilla Firefox.ps1 create mode 100644 ATAPAuditor/Resources/FirefoxPreferences.ps1 create mode 100644 ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 create mode 100644 CHANGELOG.md delete mode 100644 Excel2016Audit/Excel2016Audit.psd1 delete mode 100644 Excel2016Audit/Excel2016Audit.psm1 delete mode 100644 Excel2016Audit/MS_Excel_2016_DISA_STIG_V1R2.psd1 delete mode 100644 Excel2016Audit/README.md delete mode 100644 Excel2016Audit/Settings.psd1 delete mode 100644 GoogleChromeAudit/GoogleChromeAudit.psd1 delete mode 100644 GoogleChromeAudit/GoogleChromeAudit.psm1 delete mode 100644 GoogleChromeAudit/Google_Chrome_DISA_STIG_V1R15.psd1 delete mode 100644 GoogleChromeAudit/README.md delete mode 100644 GoogleChromeAudit/Settings.psd1 delete mode 100644 IIS10Audit/IIS10Audit.psd1 delete mode 100644 IIS10Audit/README.md delete mode 100644 IIS10Audit/Sample/report.dark.html delete mode 100644 IIS10Audit/Sample/report.html delete mode 100644 IIS10Audit/Settings.psd1 delete mode 100644 IIS8Audit/IIS8Audit.psd1 delete mode 100644 IIS8Audit/IIS8Audit.psm1 delete mode 100644 IIS8Audit/LogFileModule.psm1 delete mode 100644 IIS8Audit/README.md delete mode 100644 IIS8Audit/Sample/report.dark.html delete mode 100644 IIS8Audit/Sample/report.html delete mode 100644 IIS8Audit/Settings.psd1 delete mode 100644 MicrosoftIE11Audit/MS_IE_11_DISA_STIG_V1R16.psd1 delete mode 100644 MicrosoftIE11Audit/MicrosoftIE11Audit.psd1 delete mode 100644 MicrosoftIE11Audit/MicrosoftIE11Audit.psm1 delete mode 100644 MicrosoftIE11Audit/README.md delete mode 100644 MicrosoftIE11Audit/Sample/report.dark.html delete mode 100644 MicrosoftIE11Audit/Sample/report.html delete mode 100644 MicrosoftIE11Audit/Settings.psd1 delete mode 100644 MozillaFirefoxAudit/MozillaFirefoxAudit.psd1 delete mode 100644 MozillaFirefoxAudit/MozillaFirefoxAudit.psm1 delete mode 100644 MozillaFirefoxAudit/Mozilla_FireFox_DISA_STIG_V4R24.psd1 delete mode 100644 MozillaFirefoxAudit/Mozilla_Firefox_38_ESR_Benchmark_v1.0.0.psd1 delete mode 100644 MozillaFirefoxAudit/README.md delete mode 100644 MozillaFirefoxAudit/Settings.psd1 delete mode 100644 Outlook2016Audit/MS_Outlook_2016_DISA_STIG_V1R2.psd1 delete mode 100644 Outlook2016Audit/Outlook2016Audit.psd1 delete mode 100644 Outlook2016Audit/Outlook2016Audit.psm1 delete mode 100644 Outlook2016Audit/README.md delete mode 100644 Outlook2016Audit/Settings.psd1 delete mode 100644 Powerpoint2016Audit/MS_Powerpoint_2016_DISA_STIG_V1R1.psd1 delete mode 100644 Powerpoint2016Audit/Powerpoint2016Audit.psd1 delete mode 100644 Powerpoint2016Audit/Powerpoint2016Audit.psm1 delete mode 100644 Powerpoint2016Audit/README.md delete mode 100644 Powerpoint2016Audit/Settings.psd1 delete mode 100644 SQL2016Benchmarks/README.md delete mode 100644 SQL2016Benchmarks/SQL2016Benchmarks.psd1 delete mode 100644 SQL2016Benchmarks/Sample/myReport.html delete mode 100644 SQL2016Benchmarks/Settings.psd1 rename GoogleChromeAudit/Sample/report.dark.html => Samples/GoogleChrome.dark.html (100%) rename GoogleChromeAudit/Sample/report.html => Samples/GoogleChrome.html (100%) rename MozillaFirefoxAudit/Sample/report.dark.html => Samples/MozillaFirefox.dark.html (100%) rename MozillaFirefoxAudit/Sample/report.html => Samples/MozillaFirefox.html (100%) rename Excel2016Audit/Sample/report.html => Samples/Office2016.dark.html (100%) rename Excel2016Audit/Sample/report.dark.html => Samples/Office2016Excel.dark.html (100%) rename Outlook2016Audit/Sample/report.dark.html => Samples/Office2016Outlook.dark.html (100%) rename Outlook2016Audit/Sample/report.html => Samples/Office2016Outlook.html (100%) rename Powerpoint2016Audit/Sample/report.dark.html => Samples/Office2016PowerPoint.dark.html (100%) rename Powerpoint2016Audit/Sample/report.html => Samples/Office2016PowerPoint.html (100%) rename Skype4Business2016Audit/Samples/report.dark.html => Samples/Office2016SkypeForBusiness.dark.html (100%) rename Skype4Business2016Audit/Samples/report.html => Samples/Office2016SkypeForBusiness.html (100%) rename Word2016Audit/Samples/report.dark.html => Samples/Office2016Word.dark.html (100%) rename Word2016Audit/Samples/report.html => Samples/Office2016Word.html (100%) rename Windows10Audit/Sample/20190514_0814_auditreport.html => Samples/Windows10.html (61%) delete mode 100644 Skype4Business2016Audit/MS_Skype4Business_2016_DISA_STIG_V1R1.psd1 delete mode 100644 Skype4Business2016Audit/README.md delete mode 100644 Skype4Business2016Audit/Settings.psd1 delete mode 100644 Skype4Business2016Audit/Skype4Business2016Audit.psd1 delete mode 100644 Skype4Business2016Audit/Skype4Business2016Audit.psm1 delete mode 100644 Windows10Audit/README.md delete mode 100644 Windows10Audit/Settings.psd1 delete mode 100644 Windows10Audit/Win10_CIS_V1.4.0.psd1 delete mode 100644 Windows10Audit/Win10_DISA_V1R16.psd1 delete mode 100644 Windows10Audit/Windows10Audit.psd1 delete mode 100644 Windows10Audit/Windows10Audit.psm1 delete mode 100644 Windows10GDPRAudit/README.md delete mode 100644 Windows10GDPRAudit/Sample/sample_report.html delete mode 100644 Windows10GDPRAudit/Windows10GDPRAudit.psd1 delete mode 100644 Windows10GDPRAudit/Windows10GDPRAudit.psm1 delete mode 100644 WindowsServer2016Audit/CISBenchmarks.psd1 delete mode 100644 WindowsServer2016Audit/DISARequirements.psd1 delete mode 100644 WindowsServer2016Audit/README.md delete mode 100644 WindowsServer2016Audit/Sample/report.dark.html delete mode 100644 WindowsServer2016Audit/Sample/report.html delete mode 100644 WindowsServer2016Audit/Settings.psd1 delete mode 100644 WindowsServer2016Audit/WindowsServer2016Audit.psd1 delete mode 100644 WindowsServer2016Audit/WindowsServer2016Audit.psm1 delete mode 100644 Word2016Audit/MS_Word_2016_DISA_STIG_V1R1.psd1 delete mode 100644 Word2016Audit/README.md delete mode 100644 Word2016Audit/Settings.psd1 delete mode 100644 Word2016Audit/Word2016Audit.psd1 delete mode 100644 Word2016Audit/Word2016Audit.psm1 diff --git a/ATAPAuditor/ATAPAuditor.psd1 b/ATAPAuditor/ATAPAuditor.psd1 new file mode 100644 index 00000000..2b6bd0fb --- /dev/null +++ b/ATAPAuditor/ATAPAuditor.psd1 @@ -0,0 +1,45 @@ +@{ +RootModule = 'ATAPAuditor.psm1' +ModuleVersion = '4.0' +GUID = '1662a599-4e3a-4f72-a844-9582077b589e' +Author = 'Benedikt Böhme' +CompanyName = 'FB Pro GmbH' +Copyright = '(c) 2020 FB Pro GmbH. All rights reserved.' +Description = '' +PowerShellVersion = '5.0' +RequiredModules = @( + 'ATAPHtmlReport' +) +# RequiredAssemblies = @() +# ScriptsToProcess = @() +# TypesToProcess = @() +# FormatsToProcess = @() +# NestedModules = @() +FunctionsToExport = @( + 'Save-ATAPHtmlReport' + 'Invoke-ATAPReport' + 'Get-ATAPReport' + 'Get-AuditResource' + 'Test-AuditGroup' +) +CmdletsToExport = @() +VariablesToExport = '' +AliasesToExport = @( + 'shr' +) +# ModuleList = @() +# FileList = @() +PrivateData = @{ + PSData = @{ + Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html') + LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' + ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' + # IconUri = '' + # ReleaseNotes = '' + + } # End of PSData hashtable + +} # End of PrivateData hashtable +# HelpInfoURI = '' +# DefaultCommandPrefix = 'ATAP' +} diff --git a/ATAPAuditor/ATAPAuditor.psm1 b/ATAPAuditor/ATAPAuditor.psm1 new file mode 100644 index 00000000..f498f306 --- /dev/null +++ b/ATAPAuditor/ATAPAuditor.psm1 @@ -0,0 +1,308 @@ +using namespace Microsoft.PowerShell.Commands + +#region Initialization + +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent + +$script:atapReportsPath = $env:ATAPReportPath +if (-not $script:atapReportsPath) { + $script:atapReportsPath = [Environment]::GetFolderPath('MyDocuments') | Join-Path -ChildPath 'ATAPReports' +} +#endregion + +#region Classes +class AuditTest { + [string] $Id + [string] $Task + [hashtable[]] $Constraints + [scriptblock] $Test +} + +enum AuditInfoStatus { + True + False + Warning + None + Error +} + +class AuditInfo { + [string] $Id + [string] $Task + [AuditInfoStatus] $Status + [string] $Message +} + +class ReportSection { + [string] $Title + [string] $Description + [AuditInfo[]] $AuditInfos + [ReportSection[]] $SubSections +} + +class Report { + [string] $Title + [string] $ModuleName + [hashtable] $HostInformation + [string[]] $BasedOn + [ReportSection[]] $Sections +} +#endregion + +#region helpers +function Test-ArrayEqual { + [OutputType([bool])] + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [AllowNull()] + [AllowEmptyCollection()] + [array] + $Array1, + + [Parameter(Mandatory = $true)] + [AllowNull()] + [AllowEmptyCollection()] + [array] + $Array2 + ) + + if ($null -eq $Array1) { + $Array1 = @() + } + + if ($null -eq $Array2) { + $Array2 = @() + } + + if ($Array1.Count -ne $Array2.Count) { + return $false + } + + for ($i = 0; $i -lt $Array1.Count; $i++) { + if ($Array1[$i] -ne $Array2[$i]) { + return $false + } + } + return $true +} + +# Get domain role +# 0 {"Standalone Workstation"} +# 1 {"Member Workstation"} +# 2 {"Standalone Server"} +# 3 {"Member Server"} +# 4 {"Backup Domain Controller"} +# 5 {"Primary Domain Controller"} +function Get-DomainRole { + [DomainRole](Get-CimInstance -Class Win32_ComputerSystem).DomainRole +} + +#endregion + +<# +.SYNOPSIS + Runs the tests of an AuditGroup. +.DESCRIPTION + Runs the tests of an AuditGroup file. +.EXAMPLE + PS C:\> Test-AuditGroup "Google Chrome-CIS-2.0.0#RegistrySettings" + This runs tests defined in the AuditGroup file called 'Google Chrome-CIS-2.0.0#RegistrySettings'. +.PARAMETER GroupName + The name of the AuditGroup. +#> +function Test-AuditGroup { + [CmdletBinding()] + [OutputType([AuditInfo[]])] + param( + [Parameter(Mandatory = $true)] + [string] + $GroupName + ) + + $tests = . "$RootPath\AuditGroups\$($GroupName).ps1" + + foreach ($test in $tests) { + Write-Verbose "Testing $($test.Id)" + $message = "Test not implemented yet." + $status = [AuditInfoStatus]::None + if ($test.Constraints) { + $DomainRoleConstraint = $test.Constraints | Where-Object Property -EQ "DomainRole" + $currentRole = Get-DomainRole + $domainRoles = $DomainRoleConstraint.Values + if ($currentRole -notin $domainRoles) { + Write-Output ([AuditInfo]@{ + Id = $test.Id + Task = $test.Task + Message = 'Not applicable. This audit applies only to {0}.' -f ($DomainRoleConstraint.Values -join ' and ') + Status = [AuditInfoStatus]::None + }) + continue + } + } + + try { + $innerResult = & $test.Test + + if ($null -ne $innerResult) { + $message = $innerResult.Message + $status = [AuditInfoStatus]$innerResult.Status + } + } + catch { + Write-Error $_ + $message = "An error occured!" + $status = [AuditInfoStatus]::Error + } + + Write-Output ([AuditInfo]@{ + Id = $test.Id + Task = $test.Task + Message = $message + Status = $status + }) + } +} + +<# +.SYNOPSIS + Get an audit resource. +.DESCRIPTION + A resource provides abstration over an existing system resource. It is used by AuditTests. +.PARAMETER Name + The name of the resource. +.EXAMPLE + PS C:\> Get-AuditResource -Name "WindowsSecurityPolicy" + Gets the WindowsSecurityPolicy resource. +#> +function Get-AuditResource { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [string] + $Name + ) + + if ($null -eq $script:loadedResources) { + return & "$RootPath\Resources\$($Name).ps1" + } + if (-not $script:loadedResources.ContainsKey($Name)) { + $script:loadedResources[$Name] = (& "$RootPath\Resources\$($Name).ps1") + } + return $script:loadedResources[$Name] +} + +<# +.SYNOPSIS + Get all reports. +.DESCRIPTION + Find the reports installed on the system. +.PARAMETER ReportName + The name of the report. +.EXAMPLE + PS C:\> Get-ATAPReport + Gets all reports. +#> +function Get-ATAPReport { + [CmdletBinding()] + param ( + [Parameter()] + [string] + $ReportName = "*" + ) + + return Get-ChildItem "$RootPath\Reports\$ReportName.ps1" | Select-Object -Property BaseName +} + +<# +.SYNOPSIS + Invokes an ATAPReport +.DESCRIPTION + Long description +.EXAMPLE + PS C:\> ATAPReport -ReportName "Google Chrome" + This runs the report and outputs the logical report data. +.PARAMETER ReportName + The name of the report. +.OUTPUTS + Logical report data. +#> +function Invoke-ATAPReport { + [CmdletBinding()] + param ( + [Alias('RN')] + [Parameter(Mandatory = $true)] + [string] + $ReportName + ) + + $script:loadedResources = @{} + + return (& "$RootPath\Reports\$ReportName.ps1") +} + +<# +.SYNOPSIS + Saves an ATAPHtmlReport +.DESCRIPTION + Runs the specified ATAPReport and creates a report. +.EXAMPLE + PS C:\> Save-ATAPHtmlReport -ReportName "Google Chrome" + This runs the 'Google Chrome' report and stores the resulting html file (by default) under ~\Documents\ATAPReports +.PARAMETER ReportName + The name of the report. +.PARAMETER Path + The path where the result html document should be stored. +.PARAMETER DarkMode + By default the report is displayed in light mode. If specified the report will be displayed in dark mode. +.PARAMETER Force + If the parent directory doesn't exist it will be created. +.OUTPUTS + None. +#> +function Save-ATAPHtmlReport { + [CmdletBinding()] + param( + [Alias('RN')] + [Parameter(Mandatory = $true)] + [string] + $ReportName, + + [Parameter(Mandatory = $false)] + [string] + $Path = ($script:atapReportsPath | Join-Path -ChildPath "$($ReportName)_$(Get-Date -UFormat %Y%m%d_%H%M).html"), + + [switch] + $DarkMode, + + [Parameter()] + [switch] + $Force + ) + + $parent = Split-Path $Path + if (-not [string]::IsNullOrEmpty($parent) -and -not (Test-Path $parent)) { + if ($Force) { + New-Item -ItemType Directory -Path $parent -Force | Out-Null + } + else { + Write-Error "Cannot save the report at $parent because the path does not exist." + return + } + } + Invoke-ATAPReport -ReportName $ReportName | Get-ATAPHtmlReport -Path $Path -DarkMode:$DarkMode +} + +New-Alias -Name 'shr' -Value Save-ATAPHtmlReport + +$completer = { + param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters) + + Get-ChildItem "$RootPath\Reports\*.ps1" ` + | Select-Object -ExpandProperty BaseName ` + | ForEach-Object { "`"$_`"" } ` + | Where-Object { $_ -like "*$wordToComplete*" } +}.GetNewClosure() + +Register-ArgumentCompleter -CommandName Save-ATAPHtmlReport -ParameterName ReportName -ScriptBlock $completer +Register-ArgumentCompleter -CommandName shr -ParameterName ReportName -ScriptBlock $completer \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 new file mode 100644 index 00000000..f29d2f88 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 @@ -0,0 +1,2186 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enable curtaining of remote access hosts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostRequireCurtain" ` + | Select-Object -ExpandProperty "RemoteAccessHostRequireCurtain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Allow gnubby authentication for remote access hosts' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowGnubbyAuth" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowGnubbyAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Allow remote users to interact with elevated windows in remote assistance sessions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowUiAccessForRemoteAssistance" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowUiAccessForRemoteAssistance" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2" + Task = "(L1) Ensure 'Continue running background apps when Google Chrome is closed' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BackgroundModeEnabled" ` + | Select-Object -ExpandProperty "BackgroundModeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3" + Task = "(L1) Ensure 'Ask where to save each file before downloading' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "PromptForDownloadLocation" ` + | Select-Object -ExpandProperty "PromptForDownloadLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4" + Task = "(L1) Ensure 'Disable saving browser history' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SavingBrowserHistoryDisabled" ` + | Select-Object -ExpandProperty "SavingBrowserHistoryDisabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5" + Task = "(L1) Ensure 'Enable HTTP/0.9 support on non-default ports' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "Http09OnNonDefaultPortsEnabled" ` + | Select-Object -ExpandProperty "Http09OnNonDefaultPortsEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6" + Task = "(L1) Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ComponentUpdatesEnabled" ` + | Select-Object -ExpandProperty "ComponentUpdatesEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.7" + Task = "(L1) Ensure 'Enable deprecated web platform features for a limited time' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\EnableDeprecatedWebPlatformFeatures" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.8" + Task = "(L1) Ensure 'Enable third party software injection blocking' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ThirdPartyBlockingEnabled" ` + | Select-Object -ExpandProperty "ThirdPartyBlockingEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.9" + Task = "(L1) Ensure 'Extend Flash content setting to all content' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RunAllFlashInAllowMode" ` + | Select-Object -ExpandProperty "RunAllFlashInAllowMode" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.10" + Task = "(L1) Ensure 'Suppress the unsupported OS warning' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SuppressUnsupportedOSWarning" ` + | Select-Object -ExpandProperty "SuppressUnsupportedOSWarning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.11" + Task = "(L1) Ensure 'Whether online OCSP/CRL checks are performed' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "EnableOnlineRevocationChecks" ` + | Select-Object -ExpandProperty "EnableOnlineRevocationChecks" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.12" + Task = "(L1) Ensure 'Allow WebDriver to Override Incompatible Policies' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "WebDriverOverridesIncompatiblePolicies" ` + | Select-Object -ExpandProperty "WebDriverOverridesIncompatiblePolicies" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.13" + Task = "(L1) Ensure 'Control SafeSites adult content filtering' is set to 'Enabled' with value 'Do not filter sites for adult content' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SafeSitesFilterBehavior" ` + | Select-Object -ExpandProperty "SafeSitesFilterBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.14" + Task = "(L1) Ensure 'Origins or hostname patterns for which restrictions on insecure origins should not apply' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.15" + Task = "(L1) Ensure 'Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.16" + Task = "(L1) Ensure 'Disable Certificate Transparency enforcement for a list of URLs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.17" + Task = "(L1) Ensure 'Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "(L1) Ensure 'Default Flash Setting' is set to 'Enabled' (Click to Play)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultPluginsSetting" ` + | Select-Object -ExpandProperty "DefaultPluginsSetting" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "(L2) Ensure 'Default notification setting' is set to 'Enabled' with 'Do not allow any site to show desktop notifications'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultNotificationsSetting" ` + | Select-Object -ExpandProperty "DefaultNotificationsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3" + Task = "(L2) Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled' with 'Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultWebBluetoothGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebBluetoothGuardSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4" + Task = "(L2) Ensure 'Control use of the WebUSB API' is set to 'Enabled' with 'Do not allow any site to request access to USB devices via the WebUSB API'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultWebUsbGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebUsbGuardSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.5" + Task = "(L1) Ensure 'Configure extension installation blacklist' is set to 'Enabled' (`"*`" for all extensions)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.7" + Task = "(L2) Ensure 'Configure native messaging blacklist' is set to 'Enabled' (`"*`" for all messaging applications)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NativeMessagingBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.9" + Task = "(L1) Ensure 'Supported authentication schemes' is set to 'Enabled' (ntlm, negotiate)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AuthSchemes" ` + | Select-Object -ExpandProperty "AuthSchemes" + + if ($regValue -ne "ntlm, negotiate") { + return @{ + Message = "Registry value is '$regValue'. Expected: ntlm, negotiate" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.10" + Task = "(L1) Ensure 'Choose how to specify proxy server settings' is not set to 'Enabled' with 'Auto detect proxy settings'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ProxyMode" ` + | Select-Object -ExpandProperty "ProxyMode" + + if ($regValue -ne "auto_detect") { + return @{ + Message = "Registry value is '$regValue'. Expected: auto_detect" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.11" + Task = "(L1) Ensure 'Allow running plugins that are outdated' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AllowOutdatedPlugins" ` + | Select-Object -ExpandProperty "AllowOutdatedPlugins" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.12" + Task = "(L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "CloudPrintProxyEnabled" ` + | Select-Object -ExpandProperty "CloudPrintProxyEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.13" + Task = "(L1) Ensure 'Enable Site Isolation for every site' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SitePerProcess" ` + | Select-Object -ExpandProperty "SitePerProcess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.14" + Task = "(L1) Ensure 'Allow download restrictions' is set to 'Enabled' with 'Block dangerous downloads' specified." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DownloadRestrictions" ` + | Select-Object -ExpandProperty "DownloadRestrictions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.15" + Task = "(L1) Ensure 'Disable proceeding from the Safe Browsing warning page' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DisableSafeBrowsingProceedAnyway" ` + | Select-Object -ExpandProperty "DisableSafeBrowsingProceedAnyway" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.16" + Task = "(L1) Ensure 'Notify a user that a browser relaunch or device restart is recommended or required' is set to 'Enabled' with 'Show a recurring prompt to the user indication that a relaunch is required' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RelaunchNotification" ` + | Select-Object -ExpandProperty "RelaunchNotification" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.17" + Task = "(L1) Ensure 'Set the time period for update notifications' is set to 'Enabled' with '86400000' (1 day) specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RelaunchNotificationPeriod" ` + | Select-Object -ExpandProperty "RelaunchNotificationPeriod" + + if (($regValue -gt 86400000)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 86400000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.18" + Task = "(L2) Ensure 'Whether online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RequireOnlineRevocationChecksForLocalAnchors" ` + | Select-Object -ExpandProperty "RequireOnlineRevocationChecksForLocalAnchors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.20" + Task = "(L2) Ensure 'Use built-in DNS client' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BuiltInDnsClientEnabled" ` + | Select-Object -ExpandProperty "BuiltInDnsClientEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.21" + Task = "(L1) Ensure 'Update policy override' is set to 'Enabled' with 'Always allow updates (recommended)' or 'Automatic silent updates' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update" ` + -Name "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" ` + | Select-Object -ExpandProperty "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "(L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep cookies for the duration of the session)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultCookiesSetting" ` + | Select-Object -ExpandProperty "DefaultCookiesSetting" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.2" + Task = "(L1) Ensure 'Default geolocation setting' is set to 'Enabled' with 'Do not allow any site to track the users' physical location'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultGeolocationSetting" ` + | Select-Object -ExpandProperty "DefaultGeolocationSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.3" + Task = "(L1) Ensure 'Enable Google Cast' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "EnableMediaRouter" ` + | Select-Object -ExpandProperty "EnableMediaRouter" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.4" + Task = "(L1) Ensure 'Block third party cookies' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BlockThirdPartyCookies" ` + | Select-Object -ExpandProperty "BlockThirdPartyCookies" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.5" + Task = "(L1) Ensure 'Enable reporting of usage and crash-related data' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "MetricsReportingEnabled" ` + | Select-Object -ExpandProperty "MetricsReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.6" + Task = "(L1) Ensure 'Control how Chrome Cleanup reports data to Google' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ChromeCleanupReportingEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.7" + Task = "(L1) Ensure 'Browser sign in settings' is set to 'Enabled' with 'Disabled browser sign-in' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BrowserSignin" ` + | Select-Object -ExpandProperty "BrowserSignin" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.8" + Task = "(L1) Ensure 'Enable Translate' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "TranslateEnabled" ` + | Select-Object -ExpandProperty "TranslateEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.9" + Task = "(L1) Ensure 'Enable network prediction' is set to 'Enabled' with 'Do not predict actions on any network connection' selected" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "NetworkPredictionOptions" ` + | Select-Object -ExpandProperty "NetworkPredictionOptions" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.10" + Task = "(L1) Ensure 'Enable search suggestions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SearchSuggestEnabled" ` + | Select-Object -ExpandProperty "SearchSuggestEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.11" + Task = "(L1) Ensure 'Enable or disable spell checking web service' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SpellCheckServiceEnabled" ` + | Select-Object -ExpandProperty "SpellCheckServiceEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.12" + Task = "(L1) Ensure 'Enable alternate error pages' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AlternateErrorPagesEnabled" ` + | Select-Object -ExpandProperty "AlternateErrorPagesEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.13" + Task = "(L1) Ensure 'Disable synchronization of data with Google' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SyncDisabled" ` + | Select-Object -ExpandProperty "SyncDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.14" + Task = "(L1) Ensure 'Enable Safe Browsing for trusted sources' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SafeBrowsingForTrustedSourcesEnabled" ` + | Select-Object -ExpandProperty "SafeBrowsingForTrustedSourcesEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.15" + Task = "(L1) Ensure 'Enable URL-keyed anonymized data collection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "UrlKeyedAnonymizedDataCollectionEnabled" ` + | Select-Object -ExpandProperty "UrlKeyedAnonymizedDataCollectionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.16" + Task = "(L1) Ensure 'Enable deleting browser and download history' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AllowDeletingBrowserHistory" ` + | Select-Object -ExpandProperty "AllowDeletingBrowserHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.1" + Task = "(L1) Ensure 'Enable firewall traversal from remote access host' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostFirewallTraversal" ` + | Select-Object -ExpandProperty "RemoteAccessHostFirewallTraversal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.2" + Task = "(L1) Ensure 'Enable or disable PIN-less authentication for remote access hosts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowClientPairing" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowClientPairing" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.3" + Task = "(L1) Ensure 'Enable the use of relay servers by the remote access host' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowRelayedConnection" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowRelayedConnection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.4" + Task = "(L1) Ensure 'Configure the required domain names for remote access clients' is set to 'Enabled' with a domain defined" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\RemoteAccessHostClientDomainList" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + if ($regValue -notmatch ".*") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.*'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Enable submission of documents to Google Cloud print' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "CloudPrintSubmitEnabled" ` + | Select-Object -ExpandProperty "CloudPrintSubmitEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L1) Ensure 'Import saved passwords from default browser on first run' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ImportSavedPasswords" ` + | Select-Object -ExpandProperty "ImportSavedPasswords" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Enable AutoFill for credit cards' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AutofillCreditCardEnabled" ` + | Select-Object -ExpandProperty "AutofillCreditCardEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L1) Ensure 'Enable AutoFill for addresses' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AutofillAddressEnabled" ` + | Select-Object -ExpandProperty "AutofillAddressEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 new file mode 100644 index 00000000..5dae170f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 @@ -0,0 +1,1296 @@ +[AuditTest] @{ + Id = "DTBC-0001" + Task = "Firewall traversal from remote host must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "RemoteAccessHostFirewallTraversal" ` + | Select-Object -ExpandProperty "RemoteAccessHostFirewallTraversal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0003" + Task = "Sites ability for showing desktop notifications must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultNotificationsSetting" ` + | Select-Object -ExpandProperty "DefaultNotificationsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0004" + Task = "Sites ability to show pop-ups must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultPopupsSetting" ` + | Select-Object -ExpandProperty "DefaultPopupsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0002" + Task = "Site tracking users location must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultGeolocationSetting" ` + | Select-Object -ExpandProperty "DefaultGeolocationSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0005" + Task = "Extensions installation must be blacklisted by default." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0006" + Task = "Extensions that are approved for use must be whitelisted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallWhitelist" ` + -Name "ExtensionInstallWhitelist" ` + | Select-Object -ExpandProperty "ExtensionInstallWhitelist" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0009" + Task = "Default search provider must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultSearchProviderEnabled" ` + | Select-Object -ExpandProperty "DefaultSearchProviderEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0011" + Task = "The Password Manager must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "PasswordManagerEnabled" ` + | Select-Object -ExpandProperty "PasswordManagerEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0013" + Task = "The running of outdated plugins must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome" ` + -Name "AllowOutdatedPlugins" ` + | Select-Object -ExpandProperty "AllowOutdatedPlugins" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0015" + Task = "Third party cookies must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "BlockThirdPartyCookies" ` + | Select-Object -ExpandProperty "BlockThirdPartyCookies" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0017" + Task = "Background processing must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "BackgroundModeEnabled" ` + | Select-Object -ExpandProperty "BackgroundModeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0019" + Task = "3D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "Disable3DAPIs" ` + | Select-Object -ExpandProperty "Disable3DAPIs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0020" + Task = "Google Data Synchronization must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SyncDisabled" ` + | Select-Object -ExpandProperty "SyncDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0021" + Task = "The URL protocol schema javascript must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\URLBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "javascript://*") { + return @{ + Message = "Registry value is '$regValue'. Expected: javascript://*" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0023" + Task = "Cloud print sharing must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "CloudPrintProxyEnabled" ` + | Select-Object -ExpandProperty "CloudPrintProxyEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0025" + Task = "Network prediction must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "NetworkPredictionOptions" ` + | Select-Object -ExpandProperty "NetworkPredictionOptions" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0026" + Task = "Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "MetricsReportingEnabled" ` + | Select-Object -ExpandProperty "MetricsReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0027" + Task = "Search suggestions must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SearchSuggestEnabled" ` + | Select-Object -ExpandProperty "SearchSuggestEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0029" + Task = "Importing of saved passwords must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "ImportSavedPasswords" ` + | Select-Object -ExpandProperty "ImportSavedPasswords" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0030" + Task = "Incognito mode must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "IncognitoModeAvailability" ` + | Select-Object -ExpandProperty "IncognitoModeAvailability" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0037" + Task = "Online revocation checks must be done." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "EnableOnlineRevocationChecks" ` + | Select-Object -ExpandProperty "EnableOnlineRevocationChecks" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0038" + Task = "Safe Browsing must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SafeBrowsingEnabled" ` + | Select-Object -ExpandProperty "SafeBrowsingEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0039" + Task = "Browser history must be saved." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SavingBrowserHistoryDisabled" ` + | Select-Object -ExpandProperty "SavingBrowserHistoryDisabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0040" + Task = "Default behavior must block webpages from automatically running plugins." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultPluginsSetting" ` + | Select-Object -ExpandProperty "DefaultPluginsSetting" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0051" + Task = "URLs must be whitelisted for plugin use" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "PluginsAllowedForUrls" ` + | Select-Object -ExpandProperty "PluginsAllowedForUrls" + + if ($regValue -ne "Suggested: the set or subset of [*.]mil and [*.]gov") { + return @{ + Message = "Registry value is '$regValue'. Expected: Suggested: the set or subset of [*.]mil and [*.]gov" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0052" + Task = "Deletion of browser history must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "AllowDeletingBrowserHistory" ` + | Select-Object -ExpandProperty "AllowDeletingBrowserHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0053" + Task = "Prompt for download location must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "PromptForDownloadLocation" ` + | Select-Object -ExpandProperty "PromptForDownloadLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0064" + Task = "Autoplay must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "AutoplayAllowed" ` + | Select-Object -ExpandProperty "AutoplayAllowed" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0056" + Task = "Chrome must be configured to allow only TLS." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SSLVersionMin" ` + | Select-Object -ExpandProperty "SSLVersionMin" + + if ($regValue -ne "tls1.1") { + return @{ + Message = "Registry value is '$regValue'. Expected: tls1.1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0057" + Task = "Safe Browsing Extended Reporting must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SafeBrowsingExtendedReportingEnabled" ` + | Select-Object -ExpandProperty "SafeBrowsingExtendedReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0058" + Task = "WebUSB must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultWebUsbGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebUsbGuardSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0060" + Task = "Chrome Cleanup must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "ChromeCleanupEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0061" + Task = "Chrome Cleanup reporting must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "ChromeCleanupReportingEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0063" + Task = "Google Cast must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "EnableMediaRouter" ` + | Select-Object -ExpandProperty "EnableMediaRouter" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0066" + Task = "Anonymized data collection must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "UrlKeyedAnonymizedDataCollectionEnabled" ` + | Select-Object -ExpandProperty "UrlKeyedAnonymizedDataCollectionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0067" + Task = "Collection of WebRTC event logs must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "WebRtcEventLogCollectionAllowed" ` + | Select-Object -ExpandProperty "WebRtcEventLogCollectionAllowed" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft IE11-CIS-1.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft IE11-CIS-1.0.0#RegistrySettings.ps1 new file mode 100644 index 00000000..20b8296f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft IE11-CIS-1.0.0#RegistrySettings.ps1 @@ -0,0 +1,4534 @@ +[AuditTest] @{ + Id = "1.1" + Task = "Set 'Turn on Enhanced Protected Mode' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2" + Task = "Set 'Allow software to run or install even if the signature is invalid' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3" + Task = "Set 'Prevent Bypassing SmartScreen Filter Warnings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4" + Task = "Set 'Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "Set 'Prevent per-user installation of ActiveX controls' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "Set 'Specify use of ActiveX Installer Service for installation of ActiveX controls' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3" + Task = "Set 'Turn on ActiveX Filtering' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering" ` + -Name "IsEnabled" ` + | Select-Object -ExpandProperty "IsEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4" + Task = "Set 'Turn off ActiveX opt-in prompt' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "NoFirsttimeprompt" ` + | Select-Object -ExpandProperty "NoFirsttimeprompt" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.5" + Task = "Set 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.4" + Task = "Set 'Days to keep pages in History' to '40'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" ` + -Name "DaysToKeep" ` + | Select-Object -ExpandProperty "DaysToKeep" + + if (($regValue -lt 40)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 40" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.7" + Task = "Set 'Prevent access to Delete Browsing History' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "DisableDeleteBrowsingHistory" ` + | Select-Object -ExpandProperty "DisableDeleteBrowsingHistory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.2" + Task = "Set 'Update check interval (in days):' to 'Enabled:30'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Update_Check_Interval" ` + | Select-Object -ExpandProperty "Update_Check_Interval" + + if ($regValue -ne 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "Set 'Turn off Encryption Support' to 'Use TLS 1.1 and TLS 1.2'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "Set 'Check for server certificate revocation' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "Set 'Check for signatures on downloaded programs' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "Set 'Turn on certificate address mismatch warning' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "Set 'Prevent ignoring certificate errors' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "Set 'Disable changing certificate settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "Certificates" ` + | Select-Object -ExpandProperty "Certificates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6.1" + Task = "Set 'Turn off browser geolocation' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Geolocation" ` + -Name "PolicyDisableGeolocation" ` + | Select-Object -ExpandProperty "PolicyDisableGeolocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.2" + Task = "Set 'Allow paste operations via script' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.3" + Task = "Set 'Protected Mode' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.4" + Task = "Set 'Turn on Cross-Site Scripting (XSS) Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.5" + Task = "Set 'Run .NET Framework-reliant components signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.6" + Task = "Set 'Use Pop-up Blocker' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.7" + Task = "Set 'Scriptlets' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.8" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.9" + Task = "Set 'Allow drag and drop or copy and paste files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.10" + Task = "Set 'Run .NET Framework-reliant components not signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.11" + Task = "Set 'Internet Explorer web browser control' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.12" + Task = "Set 'Download unsigned ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.13" + Task = "Set 'Download signed ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.14" + Task = "Set 'Allow font downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.15" + Task = "Set 'Launching programs and unsafe files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.16" + Task = "Set 'Automatic prompting for file downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.17" + Task = "Set 'Allow installation of desktop items' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1800" ` + | Select-Object -ExpandProperty "1800" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.18" + Task = "Set 'XAML Files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.19" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.20" + Task = "Set 'Enable MIME Sniffing' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2100" ` + | Select-Object -ExpandProperty "2100" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.21" + Task = "Set 'Logon options' to 'Enabled:Prompt for user name and password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.22" + Task = "Set 'Access data sources across domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.23" + Task = "Set 'Status bar updates via script' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.24" + Task = "Set 'Include local directory path when uploading files to a server' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.25" + Task = "Set 'Userdata persistence' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.26" + Task = "Set 'Enable dragging of content from different domains within a window' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.27" + Task = "Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.28" + Task = "Set 'Enable dragging of content from different domains across windows' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.29" + Task = "Set 'Allow script-initiated windows without size or position constraints' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.30" + Task = "Set 'Launching applications and files in an IFRAME' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.31" + Task = "Set 'Software channel permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1E05" ` + | Select-Object -ExpandProperty "1E05" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.33" + Task = "Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.34" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.1" + Task = "Set 'Java permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.2" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.3" + Task = "Set 'Intranet Sites: Include all network paths (UNCs)' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.4" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.2" + Task = "Set 'Allow drag and drop or copy and paste files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.3" + Task = "Set 'Download signed ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.4" + Task = "Set 'Script ActiveX controls marked safe for scripting' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.5" + Task = "Set 'Allow active scripting' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.6" + Task = "Set 'Turn on Cross-Site Scripting (XSS) Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.7" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.8" + Task = "Set 'Run .NET Framework-reliant components signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.9" + Task = "Set 'Allow paste operations via script' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.10" + Task = "Set 'Protected Mode' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.11" + Task = "Set 'Allow installation of desktop items' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1800" ` + | Select-Object -ExpandProperty "1800" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.12" + Task = "Set 'Launching programs and unsafe files' to 'Enabled:Prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.13" + Task = "Set 'Automatic prompting for file downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.14" + Task = "Set 'XAML Files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.15" + Task = "Set 'Allow font downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.16" + Task = "Set 'Enable MIME Sniffing' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2100" ` + | Select-Object -ExpandProperty "2100" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.17" + Task = "Set 'Internet Explorer web browser control' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.18" + Task = "Set 'Allow Binary and Script Behaviors' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.19" + Task = "Set 'Scripting of Java applets' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.20" + Task = "Set 'Use Pop-up Blocker' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.21" + Task = "Set 'Download unsigned ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.22" + Task = "Set 'Scriptlets' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.23" + Task = "Set 'Allow file downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.24" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.25" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.26" + Task = "Set 'Run ActiveX controls and plugins' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.27" + Task = "Set 'Run .NET Framework-reliant components not signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.28" + Task = "Set 'Logon options' to 'Enabled:Anonymous logon'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.29" + Task = "Set 'Allow script-initiated windows without size or position constraints' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.30" + Task = "Set 'Allow META REFRESH' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.31" + Task = "Set 'Userdata persistence' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.32" + Task = "Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.33" + Task = "Set 'Software channel permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1E05" ` + | Select-Object -ExpandProperty "1E05" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.34" + Task = "Set 'Include local directory path when uploading files to a server' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.35" + Task = "Set 'Enable dragging of content from different domains within a window' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.36" + Task = "Set 'Status bar updates via script' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.37" + Task = "Set 'Access data sources across domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.38" + Task = "Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.40" + Task = "Set 'Enable dragging of content from different domains across windows' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.41" + Task = "Set 'Launching applications and files in an IFRAME' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.42" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.4.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.4.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.4.3" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.5.1" + Task = "Set 'Java permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.5.2" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.5.3" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.6.1" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.6.2" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.7.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.7.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.8.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.8.2" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.8.3" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.9.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.9.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.10.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.10.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.11" + Task = "Set 'Security Zones: Do not allow users to change policies' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.12" + Task = "Set 'Security Zones: Do not allow users to add/delete sites' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.13" + Task = "Set 'Security Zones: Use only machine settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1" + Task = "Set 'Disable the Security page' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "SecurityTab" ` + | Select-Object -ExpandProperty "SecurityTab" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2" + Task = "Set 'Disable the Advanced page' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "AdvancedTab" ` + | Select-Object -ExpandProperty "AdvancedTab" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3" + Task = "Set 'Prevent downloading of enclosures' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.7" + Task = "Set 'Prevent changing proxy settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "Proxy" ` + | Select-Object -ExpandProperty "Proxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.9" + Task = "Set 'Prevent `"Fix settings`" functionality' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableFixSecuritySettings" ` + | Select-Object -ExpandProperty "DisableFixSecuritySettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.10" + Task = "Set 'Turn off the Security Settings Check feature' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.12" + Task = "Set 'Turn off Crash Detection' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.13" + Task = "Set 'Disable AutoComplete for forms' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest" ` + | Select-Object -ExpandProperty "FormSuggest" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.15" + Task = "Set 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft IE11-DISA-V1R16#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft IE11-DISA-V1R16#RegistrySettings.ps1 new file mode 100644 index 00000000..28fa51cd --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft IE11-DISA-V1R16#RegistrySettings.ps1 @@ -0,0 +1,4968 @@ +[AuditTest] @{ + Id = "DTBI014-IE11" + Task = "Turn off Encryption Support must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI015-IE11" + Task = "The Internet Explorer warning about certificate address mismatch must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI018-IE11" + Task = "Check for publishers certificate revocation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" ` + -Name "State" ` + | Select-Object -ExpandProperty "State" + + if ($regValue -ne 146432) { + return @{ + Message = "Registry value is '$regValue'. Expected: 146432" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI022-IE11" + Task = "The Download signed ActiveX controls property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI023-IE11" + Task = "The Download unsigned ActiveX controls property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI024-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI030-IE11" + Task = "Font downloads must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI031-IE11" + Task = "The Java permissions must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI032-IE11" + Task = "Accessing data sources across domains must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI036-IE11" + Task = "Functionality to drag and drop or copy and paste files must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI038-IE11" + Task = "Launching programs and files in IFRAME must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI039-IE11" + Task = "Navigating windows and frames across different domains must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI042-IE11" + Task = "Userdata persistence must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI044-IE11" + Task = "Clipboard operations via script must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI046-IE11" + Task = "Logon options must be configured to prompt (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI061-IE11" + Task = "Java permissions must be configured with High Safety (Intranet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI091-IE11" + Task = "Java permissions must be configured with High Safety (Trusted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1000-IE11" + Task = "Dragging of content from different domains within a window must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1005-IE11" + Task = "Dragging of content from different domains across windows must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1010-IE11" + Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1020-IE11" + Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1025-IE11" + Task = "Dragging of content from different domains within a window must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI112-IE11" + Task = "The Download signed ActiveX controls property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI113-IE11" + Task = "The Download unsigned ActiveX controls property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI114-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI115-IE11" + Task = "ActiveX controls and plug-ins must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI116-IE11" + Task = "ActiveX controls marked safe for scripting must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI119-IE11" + Task = "File downloads must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI120-IE11" + Task = "Font downloads must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI121-IE11" + Task = "Java permissions must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI122-IE11" + Task = "Accessing data sources across domains must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI123-IE11" + Task = "The Allow META REFRESH property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI126-IE11" + Task = "Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI128-IE11" + Task = "Launching programs and files in IFRAME must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI129-IE11" + Task = "Navigating windows and frames across different domains must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI132-IE11" + Task = "Userdata persistence must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI133-IE11" + Task = "Active scripting must be disallowed (Restricted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI134-IE11" + Task = "Clipboard operations via script must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI136-IE11" + Task = "Logon options must be configured and enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI300-IE11" + Task = "Configuring History setting must be set to 40 days." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" ` + -Name "DaysToKeep" ` + | Select-Object -ExpandProperty "DaysToKeep" + + if ($regValue -ne 40) { + return @{ + Message = "Registry value is '$regValue'. Expected: 40" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI318-IE11" + Task = "Internet Explorer must be set to disallow users to add/delete sites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI319-IE11" + Task = "Internet Explorer must be configured to disallow users to change policies." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI320-IE11" + Task = "Internet Explorer must be configured to use machine settings." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI325-IE11" + Task = "Security checking features must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI350-IE11" + Task = "Software must be disallowed to run or install with invalid signatures." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI365-IE11" + Task = "Checking for server certificate revocation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI370-IE11" + Task = "Checking for signatures on downloaded programs must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI375-IE11" + Task = "All network paths (UNCs) for Intranet sites must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI385-IE11" + Task = "Script-initiated windows without size or position constraints must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI390-IE11" + Task = "Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI395-IE11" + Task = "Scriptlets must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI415-IE11" + Task = "Automatic prompting for file downloads must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI425-IE11" + Task = "Java permissions must be disallowed (Local Machine zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI430-IE11" + Task = "Java permissions must be disallowed (Locked Down Local Machine zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI435-IE11" + Task = "Java permissions must be disallowed (Locked Down Intranet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI440-IE11" + Task = "Java permissions must be disallowed (Locked Down Trusted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI450-IE11" + Task = "Java permissions must be disallowed (Locked Down Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI455-IE11" + Task = "XAML files must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI460-IE11" + Task = "XAML files must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI485-IE11" + Task = "Protected Mode must be enforced (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI490-IE11" + Task = "Protected Mode must be enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI495-IE11" + Task = "Pop-up Blocker must be enforced (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI500-IE11" + Task = "Pop-up Blocker must be enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI515-IE11" + Task = "Websites in less privileged web content zones must be prevented from navigating into the Internet zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI520-IE11" + Task = "Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI575-IE11" + Task = "Allow binary and script behaviors must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI580-IE11" + Task = "Automatic prompting for file downloads must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI590-IE11" + Task = "Internet Explorer Processes for MIME handling must be enforced. (Reserved)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI592-IE11" + Task = "Internet Explorer Processes for MIME handling must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI594-IE11" + Task = "Internet Explorer Processes for MIME handling must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI595-IE11" + Task = "Internet Explorer Processes for MIME sniffing must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI596-IE11" + Task = "Internet Explorer Processes for MIME sniffing must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI597-IE11" + Task = "Internet Explorer Processes for MIME sniffing must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI599-IE11" + Task = "Internet Explorer Processes for MK protocol must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI600-IE11" + Task = "Internet Explorer Processes for MK protocol must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI605-IE11" + Task = "Internet Explorer Processes for MK protocol must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI610-IE11" + Task = "Internet Explorer Processes for Zone Elevation must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI612-IE11" + Task = "Internet Explorer Processes for Zone Elevation must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI614-IE11" + Task = "Internet Explorer Processes for Zone Elevation must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI630-IE11" + Task = "Internet Explorer Processes for Restrict File Download must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI635-IE11" + Task = "Internet Explorer Processes for Restrict File Download must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI640-IE11" + Task = "Internet Explorer Processes for Restrict File Download must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI645-IE11" + Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI647-IE11" + Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI649-IE11" + Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI650-IE11" + Task = ".NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI655-IE11" + Task = ".NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI670-IE11" + Task = "Scripting of Java applets must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI690-IE11" + Task = "AutoComplete feature for forms must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Use FormSuggest" ` + | Select-Object -ExpandProperty "Use FormSuggest" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI715-IE11" + Task = "Crash Detection management must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI725-IE11" + Task = "Turn on the auto-complete feature for user names and passwords on forms must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest PW Ask" ` + | Select-Object -ExpandProperty "FormSuggest PW Ask" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI740-IE11" + Task = "Managing SmartScreen Filter use must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI760-IE11" + Task = "Browser must retain history on exit." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "ClearBrowsingHistoryOnExit" ` + | Select-Object -ExpandProperty "ClearBrowsingHistoryOnExit" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI770-IE11" + Task = "Deleting websites that the user has visited must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "CleanHistory" ` + | Select-Object -ExpandProperty "CleanHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI780-IE11" + Task = "InPrivate Browsing must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "EnableInPrivateBrowsing" ` + | Select-Object -ExpandProperty "EnableInPrivateBrowsing" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI800-IE11" + Task = "Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI810-IE11" + Task = "When uploading files to a server, the local directory path must be excluded (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI815-IE11" + Task = "Internet Explorer Processes for Notification Bars must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI820-IE11" + Task = "Security Warning for unsafe files must be set to prompt (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI825-IE11" + Task = "Internet Explorer Processes for Notification Bars must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI830-IE11" + Task = "ActiveX controls without prompt property must be used in approved domains only (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI835-IE11" + Task = "Internet Explorer Processes for Notification Bars must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI840-IE11" + Task = "Cross-Site Scripting Filter must be enforced (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI850-IE11" + Task = "Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI860-IE11" + Task = "When uploading files to a server, the local directory path must be excluded (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI870-IE11" + Task = "Security Warning for unsafe files must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI880-IE11" + Task = "ActiveX controls without prompt property must be used in approved domains only (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI890-IE11" + Task = "Cross-Site Scripting Filter property must be enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI900-IE11" + Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI910-IE11" + Task = "Status bar updates via script must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI920-IE11" + Task = ".NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI930-IE11" + Task = ".NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI940-IE11" + Task = "Scriptlets must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI950-IE11" + Task = "Status bar updates via script must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI985-IE11" + Task = "When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI990-IE11" + Task = "Dragging of content from different domains across windows must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI995-IE11" + Task = "Enhanced Protected Mode functionality must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI356-IE11" + Task = "The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1046-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Internet zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI062-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Intranet zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI426-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Local Machine zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1051-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Restricted Sites zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI092-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Trusted Sites zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1060-IE11" + Task = "Prevent bypassing SmartScreen Filter warnings must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1065-IE11" + Task = "Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1070-IE11" + Task = "Prevent per-user installation of ActiveX controls must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1075-IE11" + Task = "Prevent ignoring certificate errors option must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1080-IE11" + Task = "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1085-IE11" + Task = "Turn on SmartScreen Filter scan option for the Restricted Sites Zone must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1090-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe must be disallowed (Intranet Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1095-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe must be disallowed (Trusted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1100-IE11" + Task = "Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1105-IE11" + Task = "Run once selection for running outdated ActiveX controls must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1110-IE11" + Task = "Enabling outdated ActiveX controls for Internet Explorer must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1115-IE11" + Task = "Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1120-IE11" + Task = "Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1125-IE11" + Task = "VBScript must not be allowed to run in Internet Explorer (Internet zone).(This policy setting will only exist on Windows 10 Redstone 2 or later)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1130-IE11" + Task = "VBScript must not be allowed to run in Internet Explorer (Restricted Sites zone).(This policy setting will only exist on Windows 10 Redstone 2 or later)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Office 2016 Excel-DISA-V1R2#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Office 2016 Excel-DISA-V1R2#RegistrySettings.ps1 new file mode 100644 index 00000000..c49bb7fe --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Office 2016 Excel-DISA-V1R2#RegistrySettings.ps1 @@ -0,0 +1,1502 @@ +[AuditTest] @{ + Id = "DTOO104" + Task = "Disabling of user name and password syntax from being used in URLs must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO105" + Task = "Open/Save actions for Excel 4 macrosheets and add-in files must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL4Macros" ` + | Select-Object -ExpandProperty "XL4Macros" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO106" + Task = "Open/Save actions for Excel 4 workbooks must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL4Workbooks" ` + | Select-Object -ExpandProperty "XL4Workbooks" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO107" + Task = "Open/Save actions for Excel 4 worksheets must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL4Worksheets" ` + | Select-Object -ExpandProperty "XL4Worksheets" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO108" + Task = "Actions for Excel 95 workbooks must be configured to edit in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL95Workbooks" ` + | Select-Object -ExpandProperty "XL95Workbooks" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO109" + Task = "Actions for Excel 95-97 workbooks and templates must be configured to edit in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\excel\security\fileblock" ` + -Name "XL9597WorkbooksandTemplates" ` + | Select-Object -ExpandProperty "XL9597WorkbooksandTemplates" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO110" + Task = "Blocking as default file block opening behavior must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "OpenInProtectedView" ` + | Select-Object -ExpandProperty "OpenInProtectedView" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO111" + Task = "Enabling IE Bind to Object functionality must be present." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO112" + Task = "Open/Save actions for Dif and Sylk files must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "DifandSylkFiles" ` + | Select-Object -ExpandProperty "DifandSylkFiles" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO113" + Task = "Open/Save actions for Excel 2 macrosheets and add-in files must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL2Macros" ` + | Select-Object -ExpandProperty "XL2Macros" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO114" + Task = "Open/Save actions for Excel 2 worksheets must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL2Worksheets" ` + | Select-Object -ExpandProperty "XL2Worksheets" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO115" + Task = "Open/Save actions for Excel 3 macrosheets and add-in files must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL3Macros" ` + | Select-Object -ExpandProperty "XL3Macros" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO116" + Task = "Open/Save actions for Excel 3 worksheets must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "XL3Worksheets" ` + | Select-Object -ExpandProperty "XL3Worksheets" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO117" + Task = "Saved from URL mark to assure Internet zone processing must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO119" + Task = "Configuration for file validation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\filevalidation" ` + -Name "EnableOnLoad" ` + | Select-Object -ExpandProperty "EnableOnLoad" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO120" + Task = "Open/Save actions for web pages and Excel 2003 XML spreadsheets must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "HtmlandXmlssFiles" ` + | Select-Object -ExpandProperty "HtmlandXmlssFiles" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO121" + Task = "Files from the Internet zone must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview" ` + -Name "DisableInternetFilesInPV " ` + | Select-Object -ExpandProperty "DisableInternetFilesInPV " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO122" + Task = "Open/Save actions for dBase III / IV files must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" ` + -Name "DBaseFiles" ` + | Select-Object -ExpandProperty "DBaseFiles" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO123" + Task = "Navigation to URLs embedded in Office products must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO124" + Task = "Scripted Window Security must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO126" + Task = "Add-on Management functionality must be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO127" + Task = "Add-ins to Office applications must be signed by a Trusted Publisher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security" ` + -Name "RequireAddinSig" ` + | Select-Object -ExpandProperty "RequireAddinSig" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO129" + Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO131" + Task = "Trust Bar Notifications for unsigned application add-ins must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security" ` + -Name "NoTBPromptUnsignedAddin" ` + | Select-Object -ExpandProperty "NoTBPromptUnsignedAddin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO132" + Task = "File Downloads must be configured for proper restrictions." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO133" + Task = "All automatic loading from trusted locations must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\trusted locations" ` + -Name "AllLocationsDisabled" ` + | Select-Object -ExpandProperty "AllLocationsDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO134" + Task = "Disallowance of trusted locations on the network must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\trusted locations" ` + -Name "AllowNetworkLocations" ` + | Select-Object -ExpandProperty "AllowNetworkLocations" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO139" + Task = "The Save commands default file format must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\options" ` + -Name "DefaultFormat" ` + | Select-Object -ExpandProperty "DefaultFormat" + + if ($regValue -ne 51) { + return @{ + Message = "Registry value is '$regValue'. Expected: 51" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO142" + Task = "The scanning of encrypted macros in open XML documents must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security" ` + -Name "ExcelBypassEncryptedMacroScan " ` + | Select-Object -ExpandProperty "ExcelBypassEncryptedMacroScan " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO145" + Task = "Macro storage must be in personal macro workbooks." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\options\binaryoptions" ` + -Name "fGlobalSheet_37_1" ` + | Select-Object -ExpandProperty "fGlobalSheet_37_1" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO146" + Task = "Trust access for VBA must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security" ` + -Name "AccessVBOM" ` + | Select-Object -ExpandProperty "AccessVBOM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO209" + Task = "Protection from zone elevation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO211" + Task = "ActiveX Installs must be configured for proper restriction." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO288" + Task = "Files in unsafe locations must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview" ` + -Name "DisableUnsafeLocationsInPV " ` + | Select-Object -ExpandProperty "DisableUnsafeLocationsInPV " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO292" + Task = "Document behavior if file validation fails must be set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\filevalidation" ` + -Name "openinprotectedview " ` + | Select-Object -ExpandProperty "openinprotectedview " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO292_b" + Task = "Document behavior if file validation fails must be set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\filevalidation" ` + -Name "DisableEditFromPV " ` + | Select-Object -ExpandProperty "DisableEditFromPV " + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO293" + Task = "Excel attachments opened from Outlook must be in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Excel\security\protectedview" ` + -Name "DisableAttachmentsInPV " ` + | Select-Object -ExpandProperty "DisableAttachmentsInPV " + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO304" + Task = "Warning Bar settings for VBA macros must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\excel\security" ` + -Name "vbawarnings" ` + | Select-Object -ExpandProperty "vbawarnings" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO418" + Task = "WEBSERVICE functions must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\excel\security" ` + -Name "webservicefunctionwarnings " ` + | Select-Object -ExpandProperty "webservicefunctionwarnings " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO419" + Task = "Corrupt workbook options must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\excel\options" ` + -Name "extractdatadisableui" ` + | Select-Object -ExpandProperty "extractdatadisableui" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO600" + Task = "Macros must be blocked from running in Office files from the Internet." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security" ` + -Name "blockcontentexecutionfrominternet" ` + | Select-Object -ExpandProperty "blockcontentexecutionfrominternet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO605" + Task = "Files on local Intranet UNC must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview" ` + -Name "DisableIntranetCheck" ` + | Select-Object -ExpandProperty "DisableIntranetCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Office 2016 Outlook-DISA-V1R2#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Office 2016 Outlook-DISA-V1R2#RegistrySettings.ps1 new file mode 100644 index 00000000..f1ecc769 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Office 2016 Outlook-DISA-V1R2#RegistrySettings.ps1 @@ -0,0 +1,1980 @@ +[AuditTest] @{ + Id = "DTOO104" + Task = "Disabling of user name and password syntax from being used in URLs must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO111" + Task = "Enabling IE Bind to Object functionality must be present." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO117" + Task = "Saved from URL mark to assure Internet zone processing must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO123" + Task = "Navigation to URLs embedded in Office products must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO124" + Task = "Scripted Window Security must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO126" + Task = "Add-on Management functionality must be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO129" + Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO132" + Task = "File Downloads must be configured for proper restrictions." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO209" + Task = "Protection from zone elevation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO211" + Task = "ActiveX Installs must be configured for proper restriction." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO216" + Task = "Publishing calendars to Office Online must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" ` + -Name "DisableOfficeOnline" ` + | Select-Object -ExpandProperty "DisableOfficeOnline" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO217" + Task = "Publishing to a Web Distributed and Authoring (DAV) server must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" ` + -Name "DisableDav" ` + | Select-Object -ExpandProperty "DisableDav" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO218" + Task = "Level of calendar details that a user can publish must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" ` + -Name "PublishCalendarDetailsPolicy" ` + | Select-Object -ExpandProperty "PublishCalendarDetailsPolicy" + + if ($regValue -ne 16384) { + return @{ + Message = "Registry value is '$regValue'. Expected: 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO219" + Task = "Access restriction settings for published calendars must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" ` + -Name "RestrictedAccessOnly" ` + | Select-Object -ExpandProperty "RestrictedAccessOnly" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO232" + Task = "Outlook Object Model scripts must be disallowed to run for shared folders." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "SharedFolderScript" ` + | Select-Object -ExpandProperty "SharedFolderScript" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO233" + Task = "Outlook Object Model scripts must be disallowed to run for public folders." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PublicFolderScript" ` + | Select-Object -ExpandProperty "PublicFolderScript" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO234" + Task = "ActiveX One-Off forms must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "AllowActiveXOneOffForms" ` + | Select-Object -ExpandProperty "AllowActiveXOneOffForms" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO236" + Task = "The Add-In Trust Level must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "AddinTrust" ` + | Select-Object -ExpandProperty "AddinTrust" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO237" + Task = "The remember password for internet e-mail accounts must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "EnableRememberPwd" ` + | Select-Object -ExpandProperty "EnableRememberPwd" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO238" + Task = "Users customizing attachment security settings must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook" ` + -Name "DisallowAttachmentCustomization" ` + | Select-Object -ExpandProperty "DisallowAttachmentCustomization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO239" + Task = "Outlook Security Mode must be configured to use Group Policy settings." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "AdminSecurityMode" ` + | Select-Object -ExpandProperty "AdminSecurityMode" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO240" + Task = "The ability to display level 1 attachments must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "ShowLevel1Attach" ` + | Select-Object -ExpandProperty "ShowLevel1Attach" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO246" + Task = "Scripts in One-Off Outlook forms must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "EnableOneOffFormScripts" ` + | Select-Object -ExpandProperty "EnableOneOffFormScripts" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO247" + Task = "Custom Outlook Object Model (OOM) action execution prompts must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMCustomAction" ` + | Select-Object -ExpandProperty "PromptOOMCustomAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO249" + Task = "Object Model Prompt for programmatic email send behavior must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMSend" ` + | Select-Object -ExpandProperty "PromptOOMSend" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO250" + Task = "Object Model Prompt behavior for programmatic address books must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMAddressBookAccess" ` + | Select-Object -ExpandProperty "PromptOOMAddressBookAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO251" + Task = "Object Model Prompt behavior for programmatic access of user address data must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMAddressInformationAccess" ` + | Select-Object -ExpandProperty "PromptOOMAddressInformationAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO252" + Task = "Object Model Prompt behavior for Meeting and Task Responses must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMMeetingTaskRequestResponse" ` + | Select-Object -ExpandProperty "PromptOOMMeetingTaskRequestResponse" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO253" + Task = "Object Model Prompt behavior for the SaveAs method must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMSaveAs" ` + | Select-Object -ExpandProperty "PromptOOMSaveAs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO254" + Task = "Object Model Prompt behavior for accessing User Property Formula must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "PromptOOMFormulaAccess" ` + | Select-Object -ExpandProperty "PromptOOMFormulaAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO257" + Task = "S/Mime interoperability with external clients for message handling must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "ExternalSMime" ` + | Select-Object -ExpandProperty "ExternalSMime" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO260" + Task = "Message formats must be set to use SMime." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "MsgFormats" ` + | Select-Object -ExpandProperty "MsgFormats" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO262" + Task = "Run in FIPS compliant mode must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "FIPSMode" ` + | Select-Object -ExpandProperty "FIPSMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO264" + Task = "Send all signed messages as clear signed messages must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "ClearSign" ` + | Select-Object -ExpandProperty "ClearSign" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO266" + Task = "Automatic sending s/Mime receipt requests must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "RespondToReceiptRequests" ` + | Select-Object -ExpandProperty "RespondToReceiptRequests" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO267" + Task = "Retrieving of CRL data must be set for online action." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "UseCRLChasing" ` + | Select-Object -ExpandProperty "UseCRLChasing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO270" + Task = "External content and pictures in HTML email must be displayed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "BlockExtContent" ` + | Select-Object -ExpandProperty "BlockExtContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO271" + Task = "Automatic download content for email in Safe Senders list must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "UnblockSpecificSenders" ` + | Select-Object -ExpandProperty "UnblockSpecificSenders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO272" + Task = "Permit download of content from safe zones must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "UnblockSafeZone" ` + | Select-Object -ExpandProperty "UnblockSafeZone" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO273" + Task = "IE Trusted Zones assumed trusted must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "TrustedZone" ` + | Select-Object -ExpandProperty "TrustedZone" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO274" + Task = "Internet with Safe Zones for Picture Download must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "Internet" ` + | Select-Object -ExpandProperty "Internet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO275" + Task = "Intranet with Safe Zones for automatic picture downloads must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "Intranet" ` + | Select-Object -ExpandProperty "Intranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO276" + Task = "Always warn on untrusted macros must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "Level" ` + | Select-Object -ExpandProperty "Level" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO277" + Task = "Hyperlinks in suspected phishing email messages must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" ` + -Name "JunkMailEnableLinks" ` + | Select-Object -ExpandProperty "JunkMailEnableLinks" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO279" + Task = "RPC encryption between Outlook and Exchange server must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\rpc" ` + -Name "EnableRPCEncryption" ` + | Select-Object -ExpandProperty "EnableRPCEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO280" + Task = "Outlook must be configured to force authentication when connecting to an Exchange server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "AuthenticationService" ` + | Select-Object -ExpandProperty "AuthenticationService" + + if ($regValue -ne 16) { + return @{ + Message = "Registry value is '$regValue'. Expected: 16" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO283" + Task = "Disabling download full text of articles as HTML must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\rss" ` + -Name "EnableFullTextHTML" ` + | Select-Object -ExpandProperty "EnableFullTextHTML" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO284" + Task = "Automatic download of Internet Calendar appointment attachments must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal" ` + -Name "EnableAttachments" ` + | Select-Object -ExpandProperty "EnableAttachments" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO285" + Task = "Internet calendar integration in Outlook must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal" ` + -Name "Disable" ` + | Select-Object -ExpandProperty "Disable" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO286" + Task = "User Entries to Server List must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\meetings\profile" ` + -Name "ServerUI" ` + | Select-Object -ExpandProperty "ServerUI" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO313" + Task = "Automatically downloading enclosures on RSS must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\options\rss" ` + -Name "EnableAttachments" ` + | Select-Object -ExpandProperty "EnableAttachments" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO315" + Task = "Outlook must be configured not to prompt users to choose security settings if default settings fail." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "ForceDefaultProfile" ` + | Select-Object -ExpandProperty "ForceDefaultProfile" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO316" + Task = "Outlook minimum encryption key length settings must be set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "MinEncKey" ` + | Select-Object -ExpandProperty "MinEncKey" + + if ($regValue -ne 168) { + return @{ + Message = "Registry value is '$regValue'. Expected: 168" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO317" + Task = "Replies or forwards to signed/encrypted messages must be signed/encrypted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "NoCheckOnSessionSecurity" ` + | Select-Object -ExpandProperty "NoCheckOnSessionSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO320" + Task = "Check e-mail addresses against addresses of certificates being used must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\outlook\security" ` + -Name "SupressNameChecks" ` + | Select-Object -ExpandProperty "SupressNameChecks" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Office 2016 PowerPoint-DISA-V1R1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Office 2016 PowerPoint-DISA-V1R1#RegistrySettings.ps1 new file mode 100644 index 00000000..fcd01ba6 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Office 2016 PowerPoint-DISA-V1R1#RegistrySettings.ps1 @@ -0,0 +1,1322 @@ +[AuditTest] @{ + Id = "DTOO104" + Task = "Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO110" + Task = "Blocking as default file block opening behavior must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\fileblock" ` + -Name "OpenInProtectedView" ` + | Select-Object -ExpandProperty "OpenInProtectedView" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO111" + Task = "The Internet Explorer Bind to Object functionality must be enabled in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO117" + Task = "The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO119" + Task = "Configuration for file validation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\filevalidation" ` + -Name "EnableOnLoad" ` + | Select-Object -ExpandProperty "EnableOnLoad" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO121" + Task = "Files from the Internet zone must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" ` + -Name "DisableInternetFilesInPV " ` + | Select-Object -ExpandProperty "DisableInternetFilesInPV " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO126" + Task = "Add-on Management functionality must be allowed in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO127" + Task = "Add-ins to Office applications must be signed by a Trusted Publisher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" ` + -Name "RequireAddinSig" ` + | Select-Object -ExpandProperty "RequireAddinSig" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO129" + Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO131" + Task = "Trust Bar Notifications for unsigned application add-ins must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\powerpoint\security" ` + -Name "notbpromptunsignedaddin" ` + | Select-Object -ExpandProperty "notbpromptunsignedaddin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO132" + Task = "File Downloads must be configured for proper restrictions in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO133" + Task = "All automatic loading from trusted locations must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\trusted locations" ` + -Name "AllLocationsDisabled" ` + | Select-Object -ExpandProperty "AllLocationsDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO134" + Task = "Disallowance of trusted locations on the network must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\trusted locations" ` + -Name "AllowNetworkLocations" ` + | Select-Object -ExpandProperty "AllowNetworkLocations" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO139" + Task = "The Save commands default file format must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\options" ` + -Name "DefaultFormat" ` + | Select-Object -ExpandProperty "DefaultFormat" + + if ($regValue -ne 27) { + return @{ + Message = "Registry value is '$regValue'. Expected: 27" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO142" + Task = "The scanning of encrypted macros in open XML documents must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" ` + -Name "PowerPointBypassEncryptedMacroScan" ` + | Select-Object -ExpandProperty "PowerPointBypassEncryptedMacroScan" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO146" + Task = "Trust access for VBA must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" ` + -Name "AccessVBOM" ` + | Select-Object -ExpandProperty "AccessVBOM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO209" + Task = "Protection from zone elevation must be enforced in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO211" + Task = "ActiveX Installs must be configured for proper restriction in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO289" + Task = "The ability to run programs from a PowerPoint presentation must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" ` + -Name "RunPrograms" ` + | Select-Object -ExpandProperty "RunPrograms" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO293" + Task = "Attachments opened from Outlook must be in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" ` + -Name "DisableAttachmentsInPV " ` + | Select-Object -ExpandProperty "DisableAttachmentsInPV " + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO304" + Task = "Warning Bar settings for VBA macros must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\powerpoint\security" ` + -Name "VBAWarnings" ` + | Select-Object -ExpandProperty "VBAWarnings" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO501" + Task = "Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint Viewer. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO502" + Task = "The Internet Explorer Bind to Object functionality must be enabled in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO503" + Task = "The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO504" + Task = "Navigation to URLs embedded in Office products must be blocked in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO505" + Task = "Scripted Window Security must be enforced in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO506" + Task = "Add-on Management functionality must be allowed in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO507" + Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO509" + Task = "Protection from zone elevation must be enforced in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO510" + Task = "ActiveX Installs must be configured for proper restriction in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO600" + Task = "Macros must be blocked from running in Office files from the Internet." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\powerpoint\security" ` + -Name "blockcontentexecutionfrominternet" ` + | Select-Object -ExpandProperty "blockcontentexecutionfrominternet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO123" + Task = "Navigation to URLs embedded in Office products must be blocked in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO124" + Task = "Scripted Window Security must be enforced in PowerPoint." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO288" + Task = "Files in unsafe locations must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" ` + -Name "DisableUnsafeLocationsInPV" ` + | Select-Object -ExpandProperty "DisableUnsafeLocationsInPV" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO292" + Task = "Document behavior if file validation fails must be set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\filevalidation" ` + -Name "openinprotectedview " ` + | Select-Object -ExpandProperty "openinprotectedview " + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO605" + Task = "Files on local Intranet UNC must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" ` + -Name "DisableIntranetCheck" ` + | Select-Object -ExpandProperty "DisableIntranetCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO508" + Task = "File Downloads must be configured for proper restrictions in PowerPoint Viewer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Office 2016 SkypeForBusiness-DISA-V1R1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Office 2016 SkypeForBusiness-DISA-V1R1#RegistrySettings.ps1 new file mode 100644 index 00000000..a6dc0691 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Office 2016 SkypeForBusiness-DISA-V1R1#RegistrySettings.ps1 @@ -0,0 +1,108 @@ +[AuditTest] @{ + Id = "DTOO420" + Task = "The ability to store user passwords in Skype must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync" ` + -Name "savepassword" ` + | Select-Object -ExpandProperty "savepassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO421" + Task = "Session Initiation Protocol (SIP) security mode must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync" ` + -Name "enablesiphighsecuritymode" ` + | Select-Object -ExpandProperty "enablesiphighsecuritymode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO422" + Task = "In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync" ` + -Name "disablehttpconnect" ` + | Select-Object -ExpandProperty "disablehttpconnect" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Office 2016 Word-DISA-V1R1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Office 2016 Word-DISA-V1R1#RegistrySettings.ps1 new file mode 100644 index 00000000..963294d1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Office 2016 Word-DISA-V1R1#RegistrySettings.ps1 @@ -0,0 +1,1254 @@ +[AuditTest] @{ + Id = "DTOO104" + Task = "Disabling of user name and password syntax from being used in URLs must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO110" + Task = "Blocking as default file block opening behavior must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "OpenInProtectedView" ` + | Select-Object -ExpandProperty "OpenInProtectedView" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO111" + Task = "The Internet Explorer Bind to Object functionality must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO117" + Task = "Saved from URL mark to assure Internet zone processing must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO119" + Task = "Configuration for file validation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\filevalidation" ` + -Name "EnableOnLoad" ` + | Select-Object -ExpandProperty "EnableOnLoad" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO121" + Task = "Files from the Internet zone must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\protectedview" ` + -Name "DisableInternetFilesInPV" ` + | Select-Object -ExpandProperty "DisableInternetFilesInPV" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO123" + Task = "Navigation to URLs embedded in Office products must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO124" + Task = "Scripted Window Security must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO126" + Task = "Add-on Management functionality must be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO127" + Task = "Add-ins to Office applications must be signed by a Trusted Publisher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security" ` + -Name "RequireAddinSig" ` + | Select-Object -ExpandProperty "RequireAddinSig" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO129" + Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO131" + Task = "Trust Bar Notifications for unsigned application add-ins must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security" ` + -Name "NoTBPromptUnsignedAddin" ` + | Select-Object -ExpandProperty "NoTBPromptUnsignedAddin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO132" + Task = "File Downloads must be configured for proper restrictions." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO133" + Task = "All automatic loading from trusted locations must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\trusted locations" ` + -Name "AllLocationsDisabled" ` + | Select-Object -ExpandProperty "AllLocationsDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO134" + Task = "Disallowance of trusted locations on the network must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\trusted locations" ` + -Name "AllowNetworkLocations" ` + | Select-Object -ExpandProperty "AllowNetworkLocations" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO139" + Task = "The Save commands default file format must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\options" ` + -Name "DefaultFormat" ` + | Select-Object -ExpandProperty "DefaultFormat" + + if ($regValue -ne "(blank)") { + return @{ + Message = "Registry value is '$regValue'. Expected: (blank)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO142" + Task = "Force encrypted macros to be scanned in open XML documents must be determined and configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security" ` + -Name "WordBypassEncryptedMacroScan" ` + | Select-Object -ExpandProperty "WordBypassEncryptedMacroScan" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO146" + Task = "Trust access for VBA must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security" ` + -Name "AccessVBOM" ` + | Select-Object -ExpandProperty "AccessVBOM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO209" + Task = "Protection from zone elevation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO211" + Task = "ActiveX Installs must be configured for proper restriction." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO288" + Task = "Files in unsafe locations must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\protectedview" ` + -Name "DisableUnsafeLocationsInPV" ` + | Select-Object -ExpandProperty "DisableUnsafeLocationsInPV" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO292" + Task = "Document behavior if file validation fails must be set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Word\security\filevalidation" ` + -Name "openinprotectedview" ` + | Select-Object -ExpandProperty "openinprotectedview" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO292_b" + Task = "Document behavior if file validation fails must be set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Word\security\filevalidation" ` + -Name "DisableEditFromPV" ` + | Select-Object -ExpandProperty "DisableEditFromPV" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO293" + Task = "Attachments opened from Outlook must be in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\protectedview" ` + -Name "DisableAttachmentsInPV" ` + | Select-Object -ExpandProperty "DisableAttachmentsInPV" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO302" + Task = "The automatically update links feature must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\options" ` + -Name "DontUpdateLinks" ` + | Select-Object -ExpandProperty "DontUpdateLinks" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO304" + Task = "Warning Bar settings for VBA macros must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security" ` + -Name "VBAWarnings" ` + | Select-Object -ExpandProperty "VBAWarnings" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO328" + Task = "Online translation dictionaries must not be used." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\common\research\translation" ` + -Name "useonline" ` + | Select-Object -ExpandProperty "useonline" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO333" + Task = "Word 2 and earlier binary documents and templates must be blocked for open/save." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "Word2Files" ` + | Select-Object -ExpandProperty "Word2Files" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO334" + Task = "Word 2000 binary documents and templates must be configured to edit in protected view." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "Word2000Files" ` + | Select-Object -ExpandProperty "Word2000Files" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO336" + Task = "Word 6.0 binary documents and templates must be configured for block open/save actions." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "Word60Files" ` + | Select-Object -ExpandProperty "Word60Files" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO337" + Task = "Word 95 binary documents and templates must be configured to edit in protected view." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "Word95Files" ` + | Select-Object -ExpandProperty "Word95Files" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO338" + Task = "Word 97 binary documents and templates must be configured to edit in protected view." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "Word97Files" ` + | Select-Object -ExpandProperty "Word97Files" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO339" + Task = "Word XP binary documents and templates must be configured to edit in protected view." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" ` + -Name "WordXPFiles" ` + | Select-Object -ExpandProperty "WordXPFiles" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO600" + Task = "Macros must be blocked from running in Office files from the Internet." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\word\security" ` + -Name "blockcontentexecutionfrominternet" ` + | Select-Object -ExpandProperty "blockcontentexecutionfrominternet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTOO605" + Task = "Files on local Intranet UNC must be opened in Protected View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Word\security\protectedview" ` + -Name "DisableIntranetCheck" ` + | Select-Object -ExpandProperty "DisableIntranetCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-BSI-V1.1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-BSI-V1.1#RegistrySettings.ps1 new file mode 100644 index 00000000..a06c66e3 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-BSI-V1.1#RegistrySettings.ps1 @@ -0,0 +1,144 @@ +[AuditTest] @{ + Id = "3.1.1" + Task = "Configuration of the lowest telemetry-level" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.2.1" + Task = "Deactivation of the telemetry-service and etw-sessions - DiagTrack" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.2.2" + Task = "Deactivation of the telemetry-service and etw-sessions - Autologger-Diatrack-Listener" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.3.1" + Task = "Deactivation of telemetry according to Microsoft recommendation" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 new file mode 100644 index 00000000..cbfcb63b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 @@ -0,0 +1,4138 @@ +[AuditTest] @{ + Id = "1" + Task = "Turn off Automatic Root Certificates Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" ` + -Name "DisableRootAutoUpdate" ` + | Select-Object -ExpandProperty "DisableRootAutoUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.1" + Task = "Disable Allow Cortana" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.2" + Task = "Disable Allow search and Cortana to use location" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.3" + Task = "Do not allow web search" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "DisableWebSearch" ` + | Select-Object -ExpandProperty "DisableWebSearch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.4" + Task = "Don't search the web or display web results in Search" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "ConnectedSearchUseWeb" ` + | Select-Object -ExpandProperty "ConnectedSearchUseWeb" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.5" + Task = "Set Set what information is shared in Search to Anonymous info" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "ConnectedSearchPrivacy" ` + | Select-Object -ExpandProperty "ConnectedSearchPrivacy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "Prevent Windows from setting the time automatically" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" ` + -Name "Type" ` + | Select-Object -ExpandProperty "Type" + + if ($regValue -ne "NoSync") { + return @{ + Message = "Registry value is '$regValue'. Expected: NoSync" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.2" + Task = "Disable Windows NTP Client" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4" + Task = "Prevent Windows from retrieving device metadata from the Internet" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5" + Task = "Turn off Find My Device" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice" ` + -Name "AllowFindMyDevice" ` + | Select-Object -ExpandProperty "AllowFindMyDevice" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6" + Task = "Disable Font Providers" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7" + Task = "Turn off Insider Preview builds for Windows 10" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.1" + Task = "Disable Suggested Sites" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Suggested Sites" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.2" + Task = "Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer" ` + -Name "AllowServicePoweredQSA" ` + | Select-Object -ExpandProperty "AllowServicePoweredQSA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.3" + Task = "Turn off the auto-complete feature for web addresses" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" ` + -Name "AutoSuggest" ` + | Select-Object -ExpandProperty "AutoSuggest" + + if ($regValue -ne "No") { + return @{ + Message = "Registry value is '$regValue'. Expected: No" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.4" + Task = "Turn off browser geolocation" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Geolocation" ` + -Name "PolicyDisableGeolocation" ` + | Select-Object -ExpandProperty "PolicyDisableGeolocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.5" + Task = "Prevent managing SmartScreen filter" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.6" + Task = "Turn off Compatibility View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation" ` + -Name "DisableSiteListEditing" ` + | Select-Object -ExpandProperty "DisableSiteListEditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.7" + Task = "Turn off the flip ahead with page prediction feature" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FlipAhead" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.8" + Task = "Turn off background synchronization for feeds and Web Slices" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "BackgroundSyncStatus" ` + | Select-Object -ExpandProperty "BackgroundSyncStatus" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.9" + Task = "Disable Allow Online Tips" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.10" + Task = "Set home page blank" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Start Page" ` + | Select-Object -ExpandProperty "Start Page" + + if ($regValue -ne "about:blank") { + return @{ + Message = "Registry value is '$regValue'. Expected: about:blank" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.11" + Task = "Disable changing home page settings" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "HomePage" ` + | Select-Object -ExpandProperty "HomePage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.12" + Task = "Prevent running First Run wizard" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableFirstRunCustomize and set it to Go directly to home page" ` + | Select-Object -ExpandProperty "DisableFirstRunCustomize and set it to Go directly to home page" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.13" + Task = "Specify default behavior for a new tab" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\TabbedBrowsing" ` + -Name "NewTabPageShow" ` + | Select-Object -ExpandProperty "NewTabPageShow" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1" + Task = "Turn off Automatic download of the ActiveX VersionList" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager" ` + -Name "DownloadVersionList" ` + | Select-Object -ExpandProperty "DownloadVersionList" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9" + Task = "Turn off License Manager related traffic" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LicenseManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "10" + Task = "Turn Off notifications network usage" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "11" + Task = "Turn off mail synchronization for Microsoft Accounts that are configured on the device" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail" ` + -Name "ManualLaunchAllowed" ` + | Select-Object -ExpandProperty "ManualLaunchAllowed" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "12" + Task = "Disable the Microsoft Account Sign-In Assistant" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wlidsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.1" + Task = "Disable Allow Address Bar drop-down list suggestions" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI" ` + -Name "ShowOneBox" ` + | Select-Object -ExpandProperty "ShowOneBox" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.2" + Task = "Disable Allow configuration updates for the Books Library" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BooksLibrary" ` + -Name "AllowConfigurationUpdateForBooksLibrary" ` + | Select-Object -ExpandProperty "AllowConfigurationUpdateForBooksLibrary" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.3" + Task = "Disable Configure Autofill" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "Use FormSuggest" ` + | Select-Object -ExpandProperty "Use FormSuggest" + + if ($regValue -ne "No") { + return @{ + Message = "Registry value is '$regValue'. Expected: No" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.4" + Task = "Configure Do Not Track" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "DoNotTrack" ` + | Select-Object -ExpandProperty "DoNotTrack" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.5" + Task = "Disable Configure Password Manager" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "No") { + return @{ + Message = "Registry value is '$regValue'. Expected: No" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.6" + Task = "Disable Configure search suggestions in Address Bar" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" ` + -Name "ShowSearchSuggestionsGlobal" ` + | Select-Object -ExpandProperty "ShowSearchSuggestionsGlobal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.7" + Task = "Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.8" + Task = "Disable Allow web content on New Tab page" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI" ` + -Name "AllowWebContentOnNewTabPage" ` + | Select-Object -ExpandProperty "AllowWebContentOnNewTabPage" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.9" + Task = "Configure corporate Home pages" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings" ` + -Name "ProvisionedHomePages" ` + | Select-Object -ExpandProperty "ProvisionedHomePages" + + if ($regValue -ne "about:blank") { + return @{ + Message = "Registry value is '$regValue'. Expected: about:blank" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.10" + Task = "Prevent the First Run webpage from opening on Microsoft Edge" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "PreventFirstRunPage" ` + | Select-Object -ExpandProperty "PreventFirstRunPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.11" + Task = "Disable Compatibility View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BrowserEmulation" ` + -Name "MSCompatibilityMode" ` + | Select-Object -ExpandProperty "MSCompatibilityMode" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "14" + Task = "Turn off Windows Network Connectivity Status Indicator active tests" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" ` + -Name "NoActiveProbe" ` + | Select-Object -ExpandProperty "NoActiveProbe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "15.1" + Task = "Turn off Automatic Download and Update of Map Data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" ` + -Name "AutoDownloadAndUpdateMapData" ` + | Select-Object -ExpandProperty "AutoDownloadAndUpdateMapData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "15.2" + Task = "Turn off unsolicited network traffic on the Offline Maps settings page" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" ` + -Name "AllowUntriggeredNetworkTrafficOnSettingsPage" ` + | Select-Object -ExpandProperty "AllowUntriggeredNetworkTrafficOnSettingsPage" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "16.1" + Task = "Prevent the usage of OneDrive for file storage" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "16.2" + Task = "Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive" ` + -Name "PreventNetworkTrafficPreUserSignIn" ` + | Select-Object -ExpandProperty "PreventNetworkTrafficPreUserSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1" + Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2" + Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "Turn off Let websites provide locally relevant content by accessing my language list" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Control Panel\International\User Profile" ` + -Name "HttpAcceptLanguageOptOut" ` + | Select-Object -ExpandProperty "HttpAcceptLanguageOptOut" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.4" + Task = "Turn off Let Windows track app launches to improve Start and search results" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" ` + -Name "Start_TrackProgs" ` + | Select-Object -ExpandProperty "Start_TrackProgs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.1" + Task = "Turn off Location for this device" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessLocation" ` + | Select-Object -ExpandProperty "LetAppsAccessLocation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.2" + Task = "Turn off Location" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.1" + Task = "Turn off Let apps use my camera" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessCamera" ` + | Select-Object -ExpandProperty "LetAppsAccessCamera" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "Turn off Let apps use my microphone" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessMicrophone" ` + | Select-Object -ExpandProperty "LetAppsAccessMicrophone" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "Turn off notifications network usage" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "Turn off Let apps access my notifications" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessNotifications" ` + | Select-Object -ExpandProperty "LetAppsAccessNotifications" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.1" + Task = "Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" ` + -Name "HasAccepted" ` + | Select-Object -ExpandProperty "HasAccepted" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.2" + Task = "Turn off updates to the speech recognition and speech synthesis models" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Speech" ` + -Name "AllowSpeechModelUpdate" ` + | Select-Object -ExpandProperty "AllowSpeechModelUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "Turn off Let apps access my name, picture, and other account info" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessAccountInfo" ` + | Select-Object -ExpandProperty "LetAppsAccessAccountInfo" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8" + Task = "Turn off Choose apps that can access contacts" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessContacts" ` + | Select-Object -ExpandProperty "LetAppsAccessContacts" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.1" + Task = "Turn off Let apps access my calendar" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessCalendar" ` + | Select-Object -ExpandProperty "LetAppsAccessCalendar" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10" + Task = "Turn off Let apps access my call history" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessCallHistory" ` + | Select-Object -ExpandProperty "LetAppsAccessCallHistory" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.11" + Task = "Turn off Let apps access and send email" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessEmail" ` + | Select-Object -ExpandProperty "LetAppsAccessEmail" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.12.1" + Task = "Turn off Let apps read or send messages (text or MMS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessMessaging" ` + | Select-Object -ExpandProperty "LetAppsAccessMessaging" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.12.3" + Task = "Turn off Message Sync" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.13.1" + Task = "Turn off Let apps make phone calls" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessPhone" ` + | Select-Object -ExpandProperty "LetAppsAccessPhone" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.14.1" + Task = "Turn off Let apps control radios" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessRadios" ` + | Select-Object -ExpandProperty "LetAppsAccessRadios" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.15.1" + Task = "Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsSyncWithDevices" ` + | Select-Object -ExpandProperty "LetAppsSyncWithDevices" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.15.2" + Task = "Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessTrustedDevices" ` + | Select-Object -ExpandProperty "LetAppsAccessTrustedDevices" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.1" + Task = "Do not show feedback notificationsk" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.2" + Task = "Set Send your device data to Microsoft to Basic" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.3" + Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.4" + Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.17" + Task = "Turn off Let apps run in the background" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsRunInBackground" ` + | Select-Object -ExpandProperty "LetAppsRunInBackground" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.18" + Task = "Turn off Let Windows and your apps use your motion data and collect motion history" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessMotion" ` + | Select-Object -ExpandProperty "LetAppsAccessMotion" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.19" + Task = "Set Let Windows apps access Tasks to Force Deny" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessTasks" ` + | Select-Object -ExpandProperty "LetAppsAccessTasks" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.20" + Task = "Let Windows apps access diagnostic information about other apps" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsGetDiagnosticInfo" ` + | Select-Object -ExpandProperty "LetAppsGetDiagnosticInfo" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.21" + Task = "Turn off Inking & Typing data collection" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InputPersonalization" ` + -Name "RestrictImplicitTextCollection" ` + | Select-Object -ExpandProperty "RestrictImplicitTextCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.22.1" + Task = "Disable Activity Feed" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableActivityFeed" ` + | Select-Object -ExpandProperty "EnableActivityFeed" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.22.2" + Task = "Disable Allow publishing of User Activities" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "PublishUserActivities" ` + | Select-Object -ExpandProperty "PublishUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.22.3" + Task = "Disable Allow upload of User Activities" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.23.1" + Task = "Disable Let Windows apps activate with voice" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoice" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoice" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.23.2" + Task = "Disable Allow publishing of User Activities" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "PublishUserActivities" ` + | Select-Object -ExpandProperty "PublishUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19" + Task = "Turn off KMS Client Online AVS Validation" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "20" + Task = "Disable Allow downloading updates to the Disk Failure Prediction Model" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\StorageHealth" ` + -Name "AllowDiskHealthModelUpdates" ` + | Select-Object -ExpandProperty "AllowDiskHealthModelUpdates" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21.1" + Task = "Enable Do not sync" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SettingSync" ` + -Name "DisableSettingSync" ` + | Select-Object -ExpandProperty "DisableSettingSync" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21.2" + Task = "Disable Allow users to turn syncing on" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SettingSync" ` + -Name "DisableSettingSyncUserOverride" ` + | Select-Object -ExpandProperty "DisableSettingSyncUserOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21.3" + Task = "Turn off Messaging cloud sync" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Messaging" ` + -Name "CloudServiceSyncEnabled" ` + | Select-Object -ExpandProperty "CloudServiceSyncEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "22" + Task = "Set Teredo State to disabled state" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "Teredo_State" ` + | Select-Object -ExpandProperty "Teredo_State" + + if ($regValue -ne "Disabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Disabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "23" + Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.1" + Task = "Disable Join Microsoft MAPS" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpyNetReporting" ` + | Select-Object -ExpandProperty "SpyNetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.3" + Task = "Set Send file samples when further analysis is required to Never Send" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.4" + Task = "Set Define the order of sources for downloading definition updates to FileShares" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" ` + -Name "FallbackOrder" ` + | Select-Object -ExpandProperty "FallbackOrder" + + if ($regValue -ne "FileShares") { + return @{ + Message = "Registry value is '$regValue'. Expected: FileShares" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.5" + Task = "Define Define file shares for downloading definition updates to Nothing" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" ` + -Name "DefinitionUpdateFileSharesSources" ` + | Select-Object -ExpandProperty "DefinitionUpdateFileSharesSources" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.6" + Task = "Turn off Malicious Software Reporting Tool diagnostic data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" ` + -Name "DontReportInfectionInformation" ` + | Select-Object -ExpandProperty "DontReportInfectionInformation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.7" + Task = "Turn off Enhanced Notifications as follows" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableEnhancedNotifications" ` + | Select-Object -ExpandProperty "DisableEnhancedNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.1.1" + Task = "Disable Windows Defender Smartscreen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.1.2" + Task = "Disable Windows Defender Smartscreen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" ` + -Name "ConfigureAppInstallControlEnabled" ` + | Select-Object -ExpandProperty "ConfigureAppInstallControlEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.1.3" + Task = "Disable Windows Defender Smartscreen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" ` + -Name "ConfigureAppInstallControl" ` + | Select-Object -ExpandProperty "ConfigureAppInstallControl" + + if ($regValue -ne "Anywhere") { + return @{ + Message = "Registry value is '$regValue'. Expected: Anywhere" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.1" + Task = "Turn off all Windows spotlight features" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.2" + Task = "Do not display the Lock Screen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreen" ` + | Select-Object -ExpandProperty "NoLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.3" + Task = "Force a specific default lock screen image and logon image" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "LockScreenImage" ` + | Select-Object -ExpandProperty "LockScreenImage" + + if ($regValue -ne "C:\windows\web\screen\lockscreen.jpg") { + return @{ + Message = "Registry value is '$regValue'. Expected: C:\windows\web\screen\lockscreen.jpg" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.4" + Task = "Turn off fun facts, tips, tricks, and more on lock screen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "LockScreenOverlaysDisabled" ` + | Select-Object -ExpandProperty "LockScreenOverlaysDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.5" + Task = "Do not show Windows tips" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSoftLanding" ` + | Select-Object -ExpandProperty "DisableSoftLanding" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.6" + Task = "Turn off Microsoft consumer experiences" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "26.1" + Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "26.2" + Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "27" + Task = "Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableAppUriHandlers" ` + | Select-Object -ExpandProperty "EnableAppUriHandlers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "28.3" + Task = "Enable the Download Mode and set the Download Mode to `"Bypass`" to prevent traffic" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if ($regValue -ne 100) { + return @{ + Message = "Registry value is '$regValue'. Expected: 100" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.1" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DoNotConnectToWindowsUpdateInternetLocations" ` + | Select-Object -ExpandProperty "DoNotConnectToWindowsUpdateInternetLocations" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.2" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DisableWindowsUpdateAccess" ` + | Select-Object -ExpandProperty "DisableWindowsUpdateAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.3" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "WUServer" ` + | Select-Object -ExpandProperty "WUServer" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.4" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "WUStatusServer" ` + | Select-Object -ExpandProperty "WUStatusServer" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.5" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "UpdateServiceUrlAlternate" ` + | Select-Object -ExpandProperty "UpdateServiceUrlAlternate" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.6" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "UseWUServer" ` + | Select-Object -ExpandProperty "UseWUServer" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AccountPolicies.ps1 new file mode 100644 index 00000000..b2d0fab8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AccountPolicies.ps1 @@ -0,0 +1,234 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x >= 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 5184000 -or $setPolicy -le 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 5184000 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 86400)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 86400" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne $True) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: True" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne $False) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: False" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 900)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 900" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 10 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 900)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 900" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AuditPolicies.ps1 new file mode 100644 index 00000000..c4a9b707 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#AuditPolicies.ps1 @@ -0,0 +1,1616 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory ''" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory ''" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#RegistrySettings.ps1 new file mode 100644 index 00000000..f11e6fe8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#RegistrySettings.ps1 @@ -0,0 +1,14348 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "2") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.2" + Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + if ($regValue -notmatch ".+") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + if ($regValue -notmatch ".+") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LSAAnonymousNameLookup" ` + | Select-Object -ExpandProperty "LSAAnonymousNameLookup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + $reference = @( + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.14.1" + Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.8" + Task = "(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.9" + Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.10" + Task = "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.11" + Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.12" + Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.13" + Task = "(L2) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.14" + Task = "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.15" + Task = "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.16" + Task = "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.17" + Task = "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.18" + Task = "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.19" + Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.20" + Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.21" + Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.22" + Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.23" + Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.24" + Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.25" + Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.26" + Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.27" + Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.28" + Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.29" + Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.30" + Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.31" + Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.32" + Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.33" + Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.34" + Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.35" + Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.36" + Task = "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.37" + Task = "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.38" + Task = "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.39" + Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.40" + Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.41" + Task = "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.42" + Task = "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.43" + Task = "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.44" + Task = "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogFilePath" ` + | Select-Object -ExpandProperty "LogFilePath" + + if ($regValue -ne "%SystemRoot%\System32\logfiles\firewall\domainfw.log") { + return @{ + Message = "Registry value is '$regValue'. Expected: %SystemRoot%\System32\logfiles\firewall\domainfw.log" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if (($regValue -lt 16384)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.8" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogFilePath" ` + | Select-Object -ExpandProperty "LogFilePath" + + if ($regValue -ne "%SystemRoot%\System32\logfiles\firewall\privatefw.log") { + return @{ + Message = "Registry value is '$regValue'. Expected: %SystemRoot%\System32\logfiles\firewall\privatefw.log" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if (($regValue -lt 16384)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.8" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "AllowLocalPolicyMerge" ` + | Select-Object -ExpandProperty "AllowLocalPolicyMerge" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "AllowLocalIPsecPolicyMerge" ` + | Select-Object -ExpandProperty "AllowLocalIPsecPolicyMerge" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogFilePath" ` + | Select-Object -ExpandProperty "LogFilePath" + + if ($regValue -ne "%SystemRoot%\System32\logfiles\firewall\publicfw.log") { + return @{ + Message = "Registry value is '$regValue'. Expected: %SystemRoot%\System32\logfiles\firewall\publicfw.log" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if (($regValue -lt 16384)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.10" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.3" + Task = "(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if (($regValue -lt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if (($regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.4" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.5" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.6" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.9" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.10" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if (($regValue -gt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.12" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.13" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4.1" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.21.2" + Task = "(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.23.2.1" + Task = "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.1" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.2" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "PCI\CC_0C0A") { + return @{ + Message = "Registry value is '$regValue'. Expected: PCI\CC_0C0A" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.3" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.4" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.6" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.14.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.4" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.5" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.1" + Task = "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.2" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.3" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.4" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.5" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.6" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.7" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.8" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.9" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.10" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.11" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.12" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.13" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.26.1" + Task = "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.1" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.2" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.3" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.4" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.5" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.6" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.36.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.36.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.37.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.37.2" + Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.52.1.1" + Task = "(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.52.1.2" + Task = "(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.6.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.6.2" + Task = "(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "BlockHostedAppAccessWinRT" ` + | Select-Object -ExpandProperty "BlockHostedAppAccessWinRT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.10.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "FDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHardwareEncryption" ` + | Select-Object -ExpandProperty "FDVHardwareEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVAllowSoftwareEncryptionFailover" ` + | Select-Object -ExpandProperty "FDVAllowSoftwareEncryptionFailover" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.12" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRestrictHardwareEncryptionAlgorithms" ` + | Select-Object -ExpandProperty "FDVRestrictHardwareEncryptionAlgorithms" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.13" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVAllowedHardwareEncryptionAlgorithms" ` + | Select-Object -ExpandProperty "FDVAllowedHardwareEncryptionAlgorithms" + + if ($regValue -ne "2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.14" + Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.15" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVAllowUserCert" ` + | Select-Object -ExpandProperty "FDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.16" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVEnforceUserCert" ` + | Select-Object -ExpandProperty "FDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.1" + Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.2" + Task = "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSAllowSecureBootForIntegrity" ` + | Select-Object -ExpandProperty "OSAllowSecureBootForIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryPassword" ` + | Select-Object -ExpandProperty "OSRecoveryPassword" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryKey" ` + | Select-Object -ExpandProperty "OSRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "OSActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.10" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHardwareEncryption" ` + | Select-Object -ExpandProperty "OSHardwareEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.12" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSAllowSoftwareEncryptionFailover" ` + | Select-Object -ExpandProperty "OSAllowSoftwareEncryptionFailover" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.13" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRestrictHardwareEncryptionAlgorithms" ` + | Select-Object -ExpandProperty "OSRestrictHardwareEncryptionAlgorithms" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.14" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSAllowedHardwareEncryptionAlgorithms" ` + | Select-Object -ExpandProperty "OSAllowedHardwareEncryptionAlgorithms" + + if ($regValue -ne "2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.15" + Task = "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSPassphrase" ` + | Select-Object -ExpandProperty "OSPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.16" + Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.17" + Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "RDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHardwareEncryption" ` + | Select-Object -ExpandProperty "RDVHardwareEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVAllowSoftwareEncryptionFailover" ` + | Select-Object -ExpandProperty "RDVAllowSoftwareEncryptionFailover" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.12" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRestrictHardwareEncryptionAlgorithms" ` + | Select-Object -ExpandProperty "RDVRestrictHardwareEncryptionAlgorithms" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.13" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVAllowedHardwareEncryptionAlgorithms" ` + | Select-Object -ExpandProperty "RDVAllowedHardwareEncryptionAlgorithms" + + if ($regValue -ne "2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.14" + Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.15" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVAllowUserCert" ` + | Select-Object -ExpandProperty "RDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.16" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVEnforceUserCert" ` + | Select-Object -ExpandProperty "RDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.17" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.18" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.4" + Task = "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.12.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.14.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.3" + Task = "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "NoLocalPasswordResetQuestions" ` + | Select-Object -ExpandProperty "NoLocalPasswordResetQuestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.1" + Task = "(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.3" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.4" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.17.1" + Task = "(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if (($regValue -eq 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x != 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup" ` + -Name "DisableHomeGroup" ` + | Select-Object -ExpandProperty "DisableHomeGroup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.2" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.43.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.44.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.1" + Task = "(L2) Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI" ` + -Name "ShowOneBox" ` + | Select-Object -ExpandProperty "ShowOneBox" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.2" + Task = "(L2) Ensure 'Allow Adobe Flash' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons" ` + -Name "FlashPlayerEnabled" ` + | Select-Object -ExpandProperty "FlashPlayerEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.3" + Task = "(L2) Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "AllowInPrivate" ` + | Select-Object -ExpandProperty "AllowInPrivate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.4" + Task = "(L1) Ensure 'Allow Sideloading of extension' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions" ` + -Name "AllowSideloadingOfExtensions" ` + | Select-Object -ExpandProperty "AllowSideloadingOfExtensions" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.5" + Task = "(L1) Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "Cookies" ` + | Select-Object -ExpandProperty "Cookies" + + if (($regValue -gt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.6" + Task = "(L1) Ensure 'Configure Password Manager' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.7" + Task = "(L2) Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "AllowPopups" ` + | Select-Object -ExpandProperty "AllowPopups" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.8" + Task = "(L2) Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" ` + -Name "ShowSearchSuggestionsGlobal" ` + | Select-Object -ExpandProperty "ShowSearchSuggestionsGlobal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.9" + Task = "(L1) Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security" ` + -Name "FlashClickToRunMode" ` + | Select-Object -ExpandProperty "FlashClickToRunMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.10" + Task = "(L2) Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "PreventAccessToAboutFlagsInMicrosoftEdge" ` + | Select-Object -ExpandProperty "PreventAccessToAboutFlagsInMicrosoftEdge" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.11" + Task = "(L1) Ensure 'Prevent certificate error overrides' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings" ` + -Name "PreventCertErrorOverrides" ` + | Select-Object -ExpandProperty "PreventCertErrorOverrides" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.45.12" + Task = "(L2) Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "HideLocalHostIP" ` + | Select-Object -ExpandProperty "HideLocalHostIP" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.52.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.2.1" + Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.1" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.2" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.3" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.4" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.60.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.3" + Task = "(L1) Ensure 'Allow Cortana' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.4" + Task = "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortanaAboveLock" ` + | Select-Object -ExpandProperty "AllowCortanaAboveLock" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.5" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.6" + Task = "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.66.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.69.1" + Task = "(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.69.2" + Task = "(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RequirePrivateStoreOnly" ` + | Select-Object -ExpandProperty "RequirePrivateStoreOnly" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.69.3" + Task = "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.69.4" + Task = "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.69.5" + Task = "(L2) Ensure 'Turn off the Store application' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.3.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.3.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.7.1" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.9.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.10.1" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.10.2" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.13.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" ` + -Name "ExploitGuard_ASR_Rules" ` + | Select-Object -ExpandProperty "ExploitGuard_ASR_Rules" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.13.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.14" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.15" + Task = "(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.1" + Task = "(NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AuditApplicationGuard" ` + | Select-Object -ExpandProperty "AuditApplicationGuard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.2" + Task = "(NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowCameraMicrophoneRedirection" ` + | Select-Object -ExpandProperty "AllowCameraMicrophoneRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.3" + Task = "(NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowPersistence" ` + | Select-Object -ExpandProperty "AllowPersistence" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.4" + Task = "(NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "SaveFilesToHost" ` + | Select-Object -ExpandProperty "SaveFilesToHost" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.5" + Task = "(NG) Ensure 'Allow users to trust files that open in Windows Defender Application Guard' is set to 'Enabled: 0 (Do not allow users to manually trust files)' OR '2 (Allow users to manually trust after an antivirus check)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "FileTrustCriteria" ` + | Select-Object -ExpandProperty "FileTrustCriteria" + + if (($regValue -ne 0) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.6" + Task = "(NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AppHVSIClipboardSettings" ` + | Select-Object -ExpandProperty "AppHVSIClipboardSettings" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.78.7" + Task = "(NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowAppHVSI_ProviderSet" ` + | Select-Object -ExpandProperty "AllowAppHVSI_ProviderSet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.80.2.1" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.80.2.2" + Task = "(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.80.2.3" + Task = "(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.82.1" + Task = "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.84.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.84.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.86.1" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.95.1" + Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.95.2" + Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.98.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.99.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.2" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.3" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.4" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.5" + Task = "(L1) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#UserRights.ps1 new file mode 100644 index 00000000..26db3b39 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-1.8.1#UserRights.ps1 @@ -0,0 +1,1267 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#AccountPolicies.ps1 new file mode 100644 index 00000000..c8bb3154 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#AccountPolicies.ps1 @@ -0,0 +1,234 @@ +[AuditTest] @{ + Id = "WN10-AC-000005" + Task = "Windows 10 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000010" + Task = "The number of allowed bad logon attempts must be configured to 3 or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000015" + Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000020" + Task = "The password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x >= 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000025" + Task = "The maximum password age must be configured to 60 days or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 60)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000030" + Task = "The minimum password age must be configured to at least 1 day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000035" + Task = "Passwords must, at a minimum, be 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000040" + Task = "The built-in Microsoft password complexity filter must be enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AC-000045" + Task = "Reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#FileSystemPermissions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#FileSystemPermissions.ps1 new file mode 100644 index 00000000..dd1b4da9 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#FileSystemPermissions.ps1 @@ -0,0 +1,208 @@ +# Common +using namespace System.Security.AccessControl + +# [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.PowerShell.Commands.Management') + +enum GARights { + GENERIC_READ = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 +} + +# See https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-security-and-access-rights for more information +$GAToFSRMapping = @{ + [GARights]::GENERIC_READ = ` + [FileSystemRights]::ReadAttributes -bor ` + [FileSystemRights]::ReadData -bor ` + [FileSystemRights]::ReadExtendedAttributes -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_WRITE = ` + [FileSystemRights]::AppendData -bor ` + [FileSystemRights]::WriteAttributes -bor ` + [FileSystemRights]::WriteData -bor ` + [FileSystemRights]::WriteExtendedAttributes -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_EXECUTE = ` + [FileSystemRights]::ExecuteFile -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::ReadAttributes -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_ALL = ` + [FileSystemRights]::FullControl +} + +function Convert-FileSystemRights { + param( + [Parameter(Mandatory = $true)] + [FileSystemRights] $OriginalRights + ) + + [FileSystemRights]$MappedRights = [FileSystemRights]::new() + + # map generic access right + foreach ($GAR in $GAToFSRMapping.Keys) { + if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { + $MappedRights = $MappedRights -bor $GAToFSRMapping[$GAR] + } + } + + # mask standard access rights and object-specific access rights + $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) + + return $MappedRights +} + +# Tests +[AuditTest] @{ + Id = "WN10-AU-000515" + Task = "Permissions for the Application event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\Application.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\Application.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-AU-000520" + Task = "Permissions for the Security event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\Security.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\Security.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-AU-000525" + Task = "Permissions for the System event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\System.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\System.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistryPermissions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistryPermissions.ps1 new file mode 100644 index 00000000..66dc00aa --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistryPermissions.ps1 @@ -0,0 +1,199 @@ +# Common +using namespace System.Security.AccessControl + +# [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.PowerShell.Commands.Management') + +enum GARights { + GENERIC_READ = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 +} + +# Non official mappings +$GAToRRMaping = @{ + [GARights]::GENERIC_READ = ` + [RegistryRights]::ReadKey + [GARights]::GENERIC_WRITE = ` + [RegistryRights]::WriteKey + [GARights]::GENERIC_ALL = ` + [RegistryRights]::FullControl +} + +function Convert-RegistryRights { + param( + [Parameter(Mandatory = $true)] + [RegistryRights] $OriginalRights + ) + + [RegistryRights]$MappedRights = [RegistryRights]::new() + + # map generic access right + foreach ($GAR in $GAToRRMaping.Keys) { + if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { + $MappedRights = $MappedRights -bor $GAToRRMaping[$GAR] + } + } + + # mask standard access rights and object-specific access rights + $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) + + return $MappedRights +} + +# Tests +[AuditTest] @{ + Id = "WN10-RG-000005 A" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SECURITY").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SECURITY)" + + $PrincipalRights = @{ + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-RG-000005 B" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SOFTWARE").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SOFTWARE)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadKey" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-RG-000005 C" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SYSTEM").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SYSTEM)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadKey" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistrySettings.ps1 new file mode 100644 index 00000000..e34ee6de --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#RegistrySettings.ps1 @@ -0,0 +1,3996 @@ +[AuditTest] @{ + Id = "WN10-CC-000310" + Task = "Users must be prevented from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000315" + Task = "The Windows Installer Always install with elevated privileges must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000320" + Task = "Users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000325" + Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000330" + Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000335" + Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000340" + Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000345" + Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000350" + Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000355" + Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AU-000500" + Task = "The Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AU-000505" + Task = "The Security event log size must be configured to 1024000 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 1024000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1024000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-AU-000510" + Task = "The System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000005" + Task = "Camera access from the lock screen must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization\" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000010" + Task = "The display of slide shows on the lock screen must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization\" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000020" + Task = "IPv6 source routing must be configured to highest protection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" ` + -Name "DisableIpSourceRouting" ` + | Select-Object -ExpandProperty "DisableIpSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000025" + Task = "The system must be configured to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000030" + Task = "The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000035" + Task = "The system must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000040" + Task = "Insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000055" + Task = "Simultaneous connections to the Internet or a Windows domain must be limited." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000060" + Task = "Connections to non-domain networks when connected to a domain authenticated network must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000065" + Task = "Wi-Fi Sense must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000037" + Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000085" + Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 8) { + return @{ + Message = "Registry value is '$regValue'. Expected: 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000090" + Task = "Group Policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000100" + Task = "Downloading print driver packages over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000015" + Task = "Local accounts with blank passwords must be restricted to prevent access from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000105" + Task = "Web publishing and online ordering wizards must be prevented from downloading a list of providers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000110" + Task = "Printing over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000115" + Task = "Systems must at least attempt device authentication using certificates." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000120" + Task = "The network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000130" + Task = "Local users on domain-joined computers must not be enumerated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000030" + Task = "Audit policy using subcategories must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000035" + Task = "Outgoing secure channel traffic must be encrypted or signed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000040" + Task = "Outgoing secure channel traffic must be encrypted when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000145" + Task = "Users must be prompted for a password on resume from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000045" + Task = "Outgoing secure channel traffic must be signed when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000150" + Task = "The user must be prompted for a password on resume from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000155" + Task = "Solicited Remote Assistance must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000050" + Task = "The computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000165" + Task = "Unauthenticated RPC clients must be restricted from connecting to the RPC server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000170" + Task = "The setting to allow Microsoft accounts to be optional for modern style apps must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000175" + Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat\" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000060" + Task = "The system must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000180" + Task = "Autoplay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000070" + Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -ne 900) { + return @{ + Message = "Registry value is '$regValue'. Expected: 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000185" + Task = "The default autorun behavior must be configured to prevent autorun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000190" + Task = "Autoplay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000195" + Task = "Enhanced anti-spoofing for facial recognition must be enabled on Window 10." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000200" + Task = "Administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000215" + Task = "Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000220" + Task = "Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000225" + Task = "File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000095" + Task = "The Smart Card removal option must be configured to Force Logoff or Lock Workstation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" ` + -Name "SCRemoveOption" ` + | Select-Object -ExpandProperty "SCRemoveOption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000230" + Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000235" + Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000100" + Task = "The Windows SMB client must be configured to always perform SMB packet signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000240" + Task = "InPrivate browsing in Microsoft Edge must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\" ` + -Name "AllowInPrivate" ` + | Select-Object -ExpandProperty "AllowInPrivate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000105" + Task = "The Windows SMB client must be enabled to perform SMB packet signing when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000110" + Task = "Unencrypted passwords must not be sent to third-party SMB Servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000250" + Task = "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000255" + Task = "The use of a hardware security device with Windows Hello for Business must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\" ` + -Name "RequireSecurityDevice" ` + | Select-Object -ExpandProperty "RequireSecurityDevice" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000120" + Task = "The Windows SMB server must be configured to always perform SMB packet signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000260" + Task = "Windows 10 must be configured to require a minimum pin length of six characters or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\" ` + -Name "MinimumPINLength" ` + | Select-Object -ExpandProperty "MinimumPINLength" + + if ($regValue -ne 6) { + return @{ + Message = "Registry value is '$regValue'. Expected: 6" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000125" + Task = "The Windows SMB server must perform SMB packet signing when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000270" + Task = "Passwords must not be saved in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000275" + Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000280" + Task = "Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000285" + Task = "The Remote Desktop Session Host must require secure RPC communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000290" + Task = "Remote Desktop Services must be configured with the client connection encryption set to the required level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000295" + Task = "Attachments must be prevented from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000145" + Task = "Anonymous enumeration of SAM accounts must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000300" + Task = "Basic authentication for RSS feeds over HTTP must not be used." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000150" + Task = "Anonymous enumeration of shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000305" + Task = "Indexing of encrypted files must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000160" + Task = "The system must be configured to prevent anonymous users from having the same rights as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000165" + Task = "Anonymous access to Named Pipes and Shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000175" + Task = "Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000180" + Task = "NTLM must be prevented from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000185" + Task = "PKU2U authentication using online identities must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u\" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000190" + Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000195" + Task = "The system must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000205" + Task = "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000210" + Task = "The system must be configured to the required LDAP client signing level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP\" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000215" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based clients." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000220" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000230" + Task = "The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000240" + Task = "The default permissions of global system objects must be increased." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000245" + Task = "User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000250" + Task = "User Account Control must, at minimum, prompt administrators for consent on the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000255" + Task = "User Account Control must automatically deny elevation requests for standard users." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000260" + Task = "User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000265" + Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000270" + Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-SO-000275" + Task = "User Account Control must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-UC-000015" + Task = "Toast notifications to the lock screen must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-UC-000020" + Task = "Zone information must be preserved when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000066" + Task = "Command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000326" + Task = "PowerShell script block logging must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-00-000150" + Task = "Structured Exception Handling Overwrite Protection (SEHOP) must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000038" + Task = "WDigest Authentication must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000044" + Task = "Internet connection sharing must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000197" + Task = "Microsoft consumer experiences must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent\" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000228" + Task = "Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Privacy\" ` + -Name "ClearBrowsingHistoryOnExit" ` + | Select-Object -ExpandProperty "ClearBrowsingHistoryOnExit" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000252" + Task = "Windows 10 must be configured to disable Windows Game Recording and Broadcasting." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR\" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000068" + Task = "Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-00-000165" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-UC-000005" + Task = "The use of personal accounts for OneDrive synchronization must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive\" ` + -Name "DisablePersonalSync" ` + | Select-Object -ExpandProperty "DisablePersonalSync" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000238" + Task = "Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\" ` + -Name "PreventCertErrorOverrides" ` + | Select-Object -ExpandProperty "PreventCertErrorOverrides" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN10-CC-000204" + Task = "If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\" ` + -Name "LimitEnhancedDiagnosticDataWindowsAnalytics" ` + | Select-Object -ExpandProperty "LimitEnhancedDiagnosticDataWindowsAnalytics" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#UserRights.ps1 new file mode 100644 index 00000000..f0ab9eb9 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#UserRights.ps1 @@ -0,0 +1,1155 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} + +# Tests +[AuditTest] @{ + Id = "WN10-UR-000005" + Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000010" + Task = "The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "Administrators" + "Remote Desktop Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000015" + Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000025" + Task = "The Allow log on locally user right must only be assigned to the Administrators and Users groups." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "Administrators" + "Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000030" + Task = "The Back up files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000035" + Task = "The Change the system time user right must only be assigned to Administrators and Local Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "Administrators" + "Local Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000040" + Task = "The Create a pagefile user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000045" + Task = "The Create a token object user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000050" + Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "Administrators" + "Service" + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000055" + Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000065" + Task = "The Debug programs user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000070 MW" + Task = "The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Local account" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000070 SW" + Task = "The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000075 MW" + Task = "The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000080 MW" + Task = "The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000085 MW" + Task = "The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000085 SW" + Task = "The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000090 MW" + Task = "The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Local account" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000090 SW" + Task = "The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneWorkstation" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000100" + Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000105" + Task = "The Generate security audits user right must only be assigned to Local Service and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000110" + Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "Administrators" + "Service" + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000115" + Task = "The Increase scheduling priority user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000120" + Task = "The Load and unload device drivers user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000125" + Task = "The Lock pages in memory user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000130" + Task = "The Manage auditing and security log user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000140" + Task = "The Modify firmware environment values user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000145" + Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000150" + Task = "The Profile single process user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000160" + Task = "The Restore files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-UR-000165" + Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#WindowsOptionalFeatures.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#WindowsOptionalFeatures.ps1 new file mode 100644 index 00000000..4bef79b0 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R16#WindowsOptionalFeatures.ps1 @@ -0,0 +1,76 @@ +[AuditTest] @{ + Id = "WN10-00-000100" + Task = "Internet Information System (IIS) or its subcomponents must not be installed on a workstation." + Test = { + $installState = (Get-WindowsOptionalFeature -Online -FeatureName "IIS-WebServer").State + + if ($installState -ne "Disabled") { + return @{ + Status = "False" + Message = "The feature is not disabled." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-00-000110" + Task = "Simple TCP/IP Services must not be installed on the system." + Test = { + $installState = (Get-WindowsOptionalFeature -Online -FeatureName "SimpleTCP").State + + if ($installState -ne "Disabled") { + return @{ + Status = "False" + Message = "The feature is not disabled." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-00-000115" + Task = "The Telnet Client must not be installed on the system." + Test = { + $installState = (Get-WindowsOptionalFeature -Online -FeatureName "TelnetClient").State + + if ($installState -ne "Disabled") { + return @{ + Status = "False" + Message = "The feature is not disabled." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN10-00-000120" + Task = "The TFTP Client must not be installed on the system." + Test = { + $installState = (Get-WindowsOptionalFeature -Online -FeatureName "TFTP").State + + if ($installState -ne "Disabled") { + return @{ + Status = "False" + Message = "The feature is not disabled." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AccountPolicies.ps1 new file mode 100644 index 00000000..b2d0fab8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AccountPolicies.ps1 @@ -0,0 +1,234 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x >= 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 5184000 -or $setPolicy -le 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 5184000 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 86400)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 86400" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne $True) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: True" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne $False) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: False" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 900)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 900" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 10 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 900)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 900" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AuditPolicies.ps1 new file mode 100644 index 00000000..9a441cbd --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#AuditPolicies.ps1 @@ -0,0 +1,1673 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to 'Success and Failure' (DC only)" + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Pnp Activity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Pnp Activity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Pnp Activity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to 'Success and Failure' (DC only)" + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to 'Success and Failure' (DC only)" + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#RegistrySettings.ps1 new file mode 100644 index 00000000..fb312994 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#RegistrySettings.ps1 @@ -0,0 +1,439 @@ +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC NETLOGON SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (MS Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' (MS Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' (MS Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' (MS Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.43.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.76.13.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" ` + -Name "ExploitGuard_ASR_Rules" ` + | Select-Object -ExpandProperty "ExploitGuard_ASR_Rules" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.76.13.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.79.1.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#UserRights.ps1 new file mode 100644 index 00000000..850dbc26 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-1.1.0#UserRights.ps1 @@ -0,0 +1,1409 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-11" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-11" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + # "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + "S-1-5-17" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#AccountPolicies.ps1 new file mode 100644 index 00000000..09040cc8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#AccountPolicies.ps1 @@ -0,0 +1,286 @@ +[AuditTest] @{ + Id = "WN16-AC-000010" + Task = "Windows 2016 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000020" + Task = "The number of allowed bad logon attempts must be configured to three or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000030" + Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000040" + Task = "The password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x >= 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000050" + Task = "The maximum password age must be configured to 60 days or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 60)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000060" + Task = "The minimum password age must be configured to at least one day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000070" + Task = "The minimum password length must be configured to 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000080" + Task = "The built-in Windows password complexity policy must be enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-AC-000090" + Task = "Reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000250" + Task = "Anonymous SID/Name translation must not be allowed." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000370" + Task = "Windows Server 2016 must be configured to force users to log off when their allowed logon hours expire." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#FileSystemPermissions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#FileSystemPermissions.ps1 new file mode 100644 index 00000000..6032e8f8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#FileSystemPermissions.ps1 @@ -0,0 +1,474 @@ +# Common +using namespace System.Security.AccessControl + +# [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.PowerShell.Commands.Management') + +enum GARights { + GENERIC_READ = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 +} + +# See https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-security-and-access-rights for more information +$GAToFSRMapping = @{ + [GARights]::GENERIC_READ = ` + [FileSystemRights]::ReadAttributes -bor ` + [FileSystemRights]::ReadData -bor ` + [FileSystemRights]::ReadExtendedAttributes -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_WRITE = ` + [FileSystemRights]::AppendData -bor ` + [FileSystemRights]::WriteAttributes -bor ` + [FileSystemRights]::WriteData -bor ` + [FileSystemRights]::WriteExtendedAttributes -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_EXECUTE = ` + [FileSystemRights]::ExecuteFile -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::ReadAttributes -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_ALL = ` + [FileSystemRights]::FullControl +} + +function Convert-FileSystemRights { + param( + [Parameter(Mandatory = $true)] + [FileSystemRights] $OriginalRights + ) + + [FileSystemRights]$MappedRights = [FileSystemRights]::new() + + # map generic access right + foreach ($GAR in $GAToFSRMapping.Keys) { + if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { + $MappedRights = $MappedRights -bor $GAToFSRMapping[$GAR] + } + } + + # mask standard access rights and object-specific access rights + $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) + + return $MappedRights +} + +# Tests +[AuditTest] @{ + Id = "WN16-AU-000030" + Task = "Permissions for the Application event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\Application.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\Application.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-AU-000040" + Task = "Permissions for the Security event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\Security.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\Security.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-AU-000050" + Task = "Permissions for the System event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\System.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\System.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-AU-000060" + Task = "Event Viewer must be protected from unauthorized modification and deletion." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\Eventvwr.exe").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\Eventvwr.exe)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "BUILTIN\Administrators" = "ReadAndExecute, Synchronize" + "BUILTIN\Users" = "ReadAndExecute, Synchronize" + "NT Authority\System" = "ReadAndExecute, Synchronize" + "NT SERVICE\TrustedInstaller" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000160" + Task = "Permissions for the system drive root directory (usually C:\) must conform to minimum requirements." + Test = { + $acls = (Get-Acl "${Env:SystemDrive}\").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemDrive}\)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadAndExecute, Synchronize, CreateFiles, CreateDirectories" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000170 A" + Task = "Permissions for program file directories must conform to minimum requirements." + Test = { + $acls = (Get-Acl "${Env:ProgramFiles}\").Access + + Write-Verbose "File system permissions for TARGET: ${Env:ProgramFiles}\)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "BUILTIN\Administrators" = "FullControl, Modify, Synchronize" + "BUILTIN\Users" = "ReadAndExecute, Synchronize" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl, Modify, Synchronize" + "NT SERVICE\TrustedInstaller" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000170 B" + Task = "Permissions for program file directories must conform to minimum requirements." + Test = { + $acls = (Get-Acl "${Env:ProgramFiles(x86)}\").Access + + Write-Verbose "File system permissions for TARGET: ${Env:ProgramFiles(x86)}\)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "BUILTIN\Administrators" = "FullControl, Modify, Synchronize" + "BUILTIN\Users" = "ReadAndExecute, Synchronize" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl, Modify, Synchronize" + "NT SERVICE\TrustedInstaller" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000180" + Task = "Permissions for the Windows installation directory must conform to minimum requirements." + Test = { + $acls = (Get-Acl "${Env:windir}\").Access + + Write-Verbose "File system permissions for TARGET: ${Env:windir}\)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "BUILTIN\Administrators" = "FullControl, Modify, Synchronize" + "BUILTIN\Users" = "ReadAndExecute, Synchronize" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl, Modify, Synchronize" + "NT SERVICE\TrustedInstaller" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistryPermissions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistryPermissions.ps1 new file mode 100644 index 00000000..916d4fd6 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistryPermissions.ps1 @@ -0,0 +1,200 @@ +# Common +using namespace System.Security.AccessControl + +# [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.PowerShell.Commands.Management') + +enum GARights { + GENERIC_READ = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 +} + +# Non official mappings +$GAToRRMaping = @{ + [GARights]::GENERIC_READ = ` + [RegistryRights]::ReadKey + [GARights]::GENERIC_WRITE = ` + [RegistryRights]::WriteKey + [GARights]::GENERIC_ALL = ` + [RegistryRights]::FullControl +} + +function Convert-RegistryRights { + param( + [Parameter(Mandatory = $true)] + [RegistryRights] $OriginalRights + ) + + [RegistryRights]$MappedRights = [RegistryRights]::new() + + # map generic access right + foreach ($GAR in $GAToRRMaping.Keys) { + if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { + $MappedRights = $MappedRights -bor $GAToRRMaping[$GAR] + } + } + + # mask standard access rights and object-specific access rights + $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) + + return $MappedRights +} + +# Tests +[AuditTest] @{ + Id = "WN16-00-000190 A" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SECURITY").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SECURITY)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "ReadPermissions, ChangePermissions" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000190 B" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SOFTWARE").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SOFTWARE)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadKey" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000190 C" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SYSTEM").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SYSTEM)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadKey" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistrySettings.ps1 new file mode 100644 index 00000000..3f214a5f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#RegistrySettings.ps1 @@ -0,0 +1,3808 @@ +[AuditTest] @{ + Id = "WN16-CC-000280" + Task = "Administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000010" + Task = "The display of slide shows on the lock screen must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000020" + Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000030" + Task = "WDigest Authentication must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000040" + Task = "Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000050" + Task = "Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000060" + Task = "Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000070" + Task = "Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000080" + Task = "Insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000090 A" + Task = "Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -ne "RequireMutualAuthentication=1, RequireIntegrity=1") { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000090 B" + Task = "Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -ne "RequireMutualAuthentication=1, RequireIntegrity=1") { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000100" + Task = "Command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000110 A" + Task = "Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000110 B" + Task = "Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000120" + Task = "Credential Guard must be running on domain-joined member servers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000130" + Task = "Virtualization-based protection of code integrity must be enabled on domain-joined systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000140" + Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 8) { + return @{ + Message = "Registry value is '$regValue'. Expected: 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000150" + Task = "Group Policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000160" + Task = "Downloading print driver packages over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000170" + Task = "Printing over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000180" + Task = "The network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000030" + Task = "Local users on domain-joined computers must not be enumerated." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000210" + Task = "Users must be prompted to authenticate when the system wakes from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000220" + Task = "Users must be prompted to authenticate when the system wakes from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000040" + Task = "Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000240" + Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000250" + Task = "AutoPlay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000260" + Task = "The default AutoRun behavior must be configured to prevent AutoRun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000270" + Task = "AutoPlay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000290" + Task = "Windows Telemetry must be configured to Security or Basic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000300" + Task = "The Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000310" + Task = "The Security event log size must be configured to 196608 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000320" + Task = "The System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000330" + Task = "Windows SmartScreen must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000340" + Task = "Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000350" + Task = "Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000360" + Task = "File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000370" + Task = "Passwords must not be saved in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000380" + Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000390" + Task = "Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000400" + Task = "The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000410" + Task = "Remote Desktop Services must be configured with the client connection encryption set to High Level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000420" + Task = "Attachments must be prevented from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000430" + Task = "Basic authentication for RSS feeds over HTTP must not be used." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000440" + Task = "Indexing of encrypted files must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000450" + Task = "Users must be prevented from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000460" + Task = "The Windows Installer Always install with elevated privileges option must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000470" + Task = "Users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000480" + Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000490" + Task = "PowerShell script block logging must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000500" + Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000510" + Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000520" + Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000530" + Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000540" + Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-CC-000550" + Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000020" + Task = "Local accounts with blank passwords must be restricted to prevent access from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000050" + Task = "Audit policy using subcategories must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000320" + Task = "Domain controllers must require LDAP access signing." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000330" + Task = "Domain controllers must be configured to allow reset of machine account passwords." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000080" + Task = "Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000090" + Task = "Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000100" + Task = "Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000110" + Task = "The computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000120" + Task = "The maximum age for machine account passwords must be configured to 30 days or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000130" + Task = "Windows Server 2016 must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000140" + Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000050" + Task = "Caching of logon credentials must be limited." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if (($regValue -gt 4)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000190" + Task = "The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000200" + Task = "The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000210" + Task = "Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000220" + Task = "The amount of idle time required before suspending a session must be configured to 15 minutes or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "autodisconnect" ` + | Select-Object -ExpandProperty "autodisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000230" + Task = "The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000240" + Task = "The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000260" + Task = "Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000270" + Task = "Anonymous enumeration of shares must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000280" + Task = "Windows Server 2016 must be configured to prevent the storage of passwords and credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000290" + Task = "Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000300" + Task = "Anonymous access to Named Pipes and Shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000310" + Task = "Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer", "StandaloneServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000320" + Task = "Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000330" + Task = "NTLM must be prevented from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000340" + Task = "PKU2U authentication using online identities must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000350" + Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000360" + Task = "Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000380" + Task = "The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000390" + Task = "Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000400" + Task = "Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000410" + Task = "Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000420" + Task = "Users must be required to enter a password to access private keys stored on the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000430" + Task = "Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000440" + Task = "Windows Server 2016 must be configured to require case insensitivity for non-Windows subsystems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000450" + Task = "The default permissions of global system objects must be strengthened." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000460" + Task = "User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000470" + Task = "UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000480" + Task = "User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000490" + Task = "User Account Control must automatically deny standard user requests for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000500" + Task = "User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000510" + Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000520" + Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000530" + Task = "User Account Control must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-UC-000010" + Task = "A screen saver must be enabled on the system." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-UC-000020" + Task = "The screen saver must be password protected." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-UC-000030" + Task = "Zone information must be preserved when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN16-SO-000180" + Task = "The Smart Card removal option must be configured to Force Logoff or Lock Workstation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "scremoveoption" ` + | Select-Object -ExpandProperty "scremoveoption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#UserRights.ps1 new file mode 100644 index 00000000..9df7f6d4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#UserRights.ps1 @@ -0,0 +1,1611 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} + +# Tests +[AuditTest] @{ + Id = "WN16-UR-000010" + Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000340" + Task = "The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "Administrators" + "NT AUTHORITY\Authenticated Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000340" + Task = "The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer", "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "Administrators" + "NT AUTHORITY\Authenticated Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000030" + Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000350" + Task = "The Add workstations to domain user right must only be assigned to the Administrators group." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000050" + Task = "The Allow log on locally user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000360" + Task = "The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000070" + Task = "The Back up files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000080" + Task = "The Create a pagefile user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000090" + Task = "The Create a token object user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000100" + Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "Administrators" + "Service" + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000110" + Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000120" + Task = "The Create symbolic links user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000130" + Task = "The Debug programs user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000370" + Task = "The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000370 MS" + Task = "The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Administrators" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000370 SS" + Task = "The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000380" + Task = "The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000380 MS" + Task = "The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000380 SS" + Task = "The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000390" + Task = "The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000390 MS" + Task = "The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000390 SS" + Task = "The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000400" + Task = "The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000400 MS" + Task = "The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000400 SS" + Task = "The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000410" + Task = "The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000410 MS" + Task = "The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000410 SS" + Task = "The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-DC-000420" + Task = "The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-MS-000420" + Task = "The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer", "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000200" + Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000210" + Task = "The Generate security audits user right must only be assigned to Local Service and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000220" + Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "Administrators" + "Service" + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000230" + Task = "The Increase scheduling priority user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000240" + Task = "The Load and unload device drivers user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000250" + Task = "The Lock pages in memory user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000260" + Task = "The Manage auditing and security log user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000270" + Task = "The Modify firmware environment values user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000280" + Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000290" + Task = "The Profile single process user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000300" + Task = "The Restore files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-UR-000310" + Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#WindowsFeatures.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#WindowsFeatures.ps1 new file mode 100644 index 00000000..672f8123 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R6#WindowsFeatures.ps1 @@ -0,0 +1,152 @@ +[AuditTest] @{ + Id = "WN16-00-000350" + Task = "The Fax Server role must not be installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Fax").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000360" + Task = "The Microsoft FTP service must not be installed unless required." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Web-Ftp-Service").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000370" + Task = "The Peer Name Resolution Protocol must not be installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "PNRP").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000380" + Task = "Simple TCP/IP Services must not be installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Simple-TCPIP").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000390" + Task = "The Telnet Client must not be installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Telnet-Client").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000400" + Task = "The TFTP Client must not be installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "TFTP-Client").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000410" + Task = "The Server Message Block (SMB) v1 protocol must be uninstalled." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "FS-SMB1").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN16-00-000420" + Task = "Windows PowerShell 2.0 must not be installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "PowerShell-v2").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AccountPolicies.ps1 new file mode 100644 index 00000000..b2d0fab8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AccountPolicies.ps1 @@ -0,0 +1,234 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x >= 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 5184000 -or $setPolicy -le 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 5184000 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 86400)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 86400" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne $True) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: True" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne $False) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: False" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 900)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 900" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 10 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 900)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 900" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AuditPolicies.ps1 new file mode 100644 index 00000000..d87ca2fd --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#AuditPolicies.ps1 @@ -0,0 +1,2015 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.2" + Task = "(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.3" + Task = "(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory ''" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory ''" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "False" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { + return @{ + Status = "False" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#RegistrySettings.ps1 new file mode 100644 index 00000000..adf1b4f4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#RegistrySettings.ps1 @@ -0,0 +1,9351 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.2" + Task = "(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.1" + Task = "(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SubmitControl" ` + | Select-Object -ExpandProperty "SubmitControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.2" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.3" + Task = "(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -eq 0 -or $regValue -gt 900)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x != 0 and x <= 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + if ($regValue -notmatch ".+") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + if ($regValue -notmatch ".+") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ForceUnlockLogon" ` + | Select-Object -ExpandProperty "ForceUnlockLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC NETLOGON SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\CertSvc" + "System\CurrentControlSet\Services\WINS" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\WINS" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + $reference = @( + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.13" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.13.1" + Task = "(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogFilePath" ` + | Select-Object -ExpandProperty "LogFilePath" + + if ($regValue -ne "%SystemRoot%\System32\logfiles\firewall\domainfw.log") { + return @{ + Message = "Registry value is '$regValue'. Expected: %SystemRoot%\System32\logfiles\firewall\domainfw.log" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if (($regValue -lt 16384)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.8" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogFilePath" ` + | Select-Object -ExpandProperty "LogFilePath" + + if ($regValue -ne "%SystemRoot%\System32\logfiles\firewall\privatefw.log") { + return @{ + Message = "Registry value is '$regValue'. Expected: %SystemRoot%\System32\logfiles\firewall\privatefw.log" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if (($regValue -lt 16384)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.8" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "AllowLocalPolicyMerge" ` + | Select-Object -ExpandProperty "AllowLocalPolicyMerge" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "AllowLocalIPsecPolicyMerge" ` + | Select-Object -ExpandProperty "AllowLocalIPsecPolicyMerge" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogFilePath" ` + | Select-Object -ExpandProperty "LogFilePath" + + if ($regValue -ne "%SystemRoot%\System32\logfiles\firewall\publicfw.log") { + return @{ + Message = "Registry value is '$regValue'. Expected: %SystemRoot%\System32\logfiles\firewall\publicfw.log" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if (($regValue -lt 16384)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3.10" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.3" + Task = "(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if (($regValue -lt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if (($regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.4" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.5" + Task = "(L1) Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.6" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.7" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.9" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if (($regValue -gt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.10" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.12" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4.1" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.21.2" + Task = "(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.5.7" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.14.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.4" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.5" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.6" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.7" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.8" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.9" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.10" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.11" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.12" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.26.1" + Task = "(L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.1" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.2" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.3" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.34.6.4" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.36.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.36.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.37.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.37.2" + Task = "(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.52.1.1" + Task = "(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.52.1.2" + Task = "(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.6.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.10.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.12.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.14.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.1" + Task = "(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.3" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.16.4" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.2" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.43.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.44.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.52.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.2.1" + Task = "(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser" ` + | Select-Object -ExpandProperty "fSingleSessionPerUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.1" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.2" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.3" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.3.4" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.60.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.61.3" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.66.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.3.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.3.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.7.1" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.9.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericRePorts" ` + | Select-Object -ExpandProperty "DisableGenericRePorts" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.10.1" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.10.2" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.13.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" ` + -Name "ExploitGuard_ASR_Rules" ` + | Select-Object -ExpandProperty "ExploitGuard_ASR_Rules" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.13.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.14" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.77.15" + Task = "(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.84.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.84.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.86.1" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.95.1" + Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.95.2" + Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.98.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.99.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.2" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.3" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.102.4" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#UserRights.ps1 new file mode 100644 index 00000000..8b8fbb22 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-1.1.0#UserRights.ps1 @@ -0,0 +1,1585 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-11" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-11" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + # "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + "S-1-5-32-568" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#AccountPolicies.ps1 new file mode 100644 index 00000000..ed176154 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#AccountPolicies.ps1 @@ -0,0 +1,260 @@ +[AuditTest] @{ + Id = "WN19-AC-000010" + Task = "Windows Server 2019 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000020" + Task = "Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000030" + Task = "Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000040" + Task = "Windows Server 2019 password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x >= 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000050" + Task = "Windows Server 2019 maximum password age must be configured to 60 days or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -gt 60)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000060" + Task = "TWindows Server 2019 minimum password age must be configured to at least one day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000070" + Task = "Windows Server 2019 minimum password length must be configured to 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000080" + Task = "Windows Server 2019 must have the built-in Windows password complexity policy enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-AC-000090" + Task = "Windows Server 2019 reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000210" + Task = "Windows Server 2019 must not allow anonymous SID/Name translation." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setPolicy -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#FileSystemPermissions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#FileSystemPermissions.ps1 new file mode 100644 index 00000000..631f2952 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#FileSystemPermissions.ps1 @@ -0,0 +1,366 @@ +# Common +using namespace System.Security.AccessControl + +# [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.PowerShell.Commands.Management') + +enum GARights { + GENERIC_READ = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 +} + +# See https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-security-and-access-rights for more information +$GAToFSRMapping = @{ + [GARights]::GENERIC_READ = ` + [FileSystemRights]::ReadAttributes -bor ` + [FileSystemRights]::ReadData -bor ` + [FileSystemRights]::ReadExtendedAttributes -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_WRITE = ` + [FileSystemRights]::AppendData -bor ` + [FileSystemRights]::WriteAttributes -bor ` + [FileSystemRights]::WriteData -bor ` + [FileSystemRights]::WriteExtendedAttributes -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_EXECUTE = ` + [FileSystemRights]::ExecuteFile -bor ` + [FileSystemRights]::ReadPermissions -bor ` + [FileSystemRights]::ReadAttributes -bor ` + [FileSystemRights]::Synchronize + [GARights]::GENERIC_ALL = ` + [FileSystemRights]::FullControl +} + +function Convert-FileSystemRights { + param( + [Parameter(Mandatory = $true)] + [FileSystemRights] $OriginalRights + ) + + [FileSystemRights]$MappedRights = [FileSystemRights]::new() + + # map generic access right + foreach ($GAR in $GAToFSRMapping.Keys) { + if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { + $MappedRights = $MappedRights -bor $GAToFSRMapping[$GAR] + } + } + + # mask standard access rights and object-specific access rights + $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) + + return $MappedRights +} + +# Tests +[AuditTest] @{ + Id = "WN19-AU-000030" + Task = "Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\Application.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\Application.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-AU-000040" + Task = "Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\Security.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\Security.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-AU-000050" + Task = "Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\winevt\Logs\System.evtx").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\winevt\Logs\System.evtx)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "NT AUTHORITY\SYSTEM" = "FullControl" + "NT SERVICE\EventLog" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-AU-000060" + Task = "Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + Test = { + $acls = (Get-Acl "${Env:SystemRoot}\System32\Eventvwr.exe").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemRoot}\System32\Eventvwr.exe)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "BUILTIN\Administrators" = "ReadAndExecute, Synchronize" + "BUILTIN\Users" = "ReadAndExecute, Synchronize" + "NT Authority\System" = "ReadAndExecute, Synchronize" + "NT SERVICE\TrustedInstaller" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000140" + Task = "Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements." + Test = { + $acls = (Get-Acl "${Env:SystemDrive}\").Access + + Write-Verbose "File system permissions for TARGET: ${Env:SystemDrive}\)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadAndExecute, Synchronize, CreateFiles, CreateDirectories" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000160" + Task = "Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." + Test = { + $acls = (Get-Acl "${Env:windir}\").Access + + Write-Verbose "File system permissions for TARGET: ${Env:windir}\)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" + "BUILTIN\Administrators" = "FullControl, Modify, Synchronize" + "BUILTIN\Users" = "ReadAndExecute, Synchronize" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl, Modify, Synchronize" + "NT SERVICE\TrustedInstaller" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + } + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistryPermissions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistryPermissions.ps1 new file mode 100644 index 00000000..89979984 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistryPermissions.ps1 @@ -0,0 +1,200 @@ +# Common +using namespace System.Security.AccessControl + +# [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.PowerShell.Commands.Management') + +enum GARights { + GENERIC_READ = 0x80000000 + GENERIC_WRITE = 0x40000000 + GENERIC_EXECUTE = 0x20000000 + GENERIC_ALL = 0x10000000 +} + +# Non official mappings +$GAToRRMaping = @{ + [GARights]::GENERIC_READ = ` + [RegistryRights]::ReadKey + [GARights]::GENERIC_WRITE = ` + [RegistryRights]::WriteKey + [GARights]::GENERIC_ALL = ` + [RegistryRights]::FullControl +} + +function Convert-RegistryRights { + param( + [Parameter(Mandatory = $true)] + [RegistryRights] $OriginalRights + ) + + [RegistryRights]$MappedRights = [RegistryRights]::new() + + # map generic access right + foreach ($GAR in $GAToRRMaping.Keys) { + if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { + $MappedRights = $MappedRights -bor $GAToRRMaping[$GAR] + } + } + + # mask standard access rights and object-specific access rights + $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) + + return $MappedRights +} + +# Tests +[AuditTest] @{ + Id = "WN19-00-000170 A" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SECURITY").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SECURITY)" + + $PrincipalRights = @{ + "BUILTIN\Administrators" = "ReadPermissions, ChangePermissions" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000170 B" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SOFTWARE").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SOFTWARE)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadKey" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000170 C" + Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + Test = { + + $acls = (Get-Acl "Registry::HKEY_LOCAL_MACHINE\SYSTEM").Access + + Write-Verbose "Registry permissions for target: HKEY_LOCAL_MACHINE\SYSTEM)" + + $PrincipalRights = @{ + "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" + "BUILTIN\Administrators" = "FullControl" + "BUILTIN\Users" = "ReadKey" + "CREATOR OWNER" = "FullControl" + "NT Authority\System" = "FullControl" + } + + $principalsWithTooManyRights = $acls | Where-Object { + $_.IdentityReference.Value -NotIn $PrincipalRights.Keys + } + $principalsWithWrongRights = $acls ` + | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` + | Where-Object { + # convert string to rights enum + $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + $mappedRights -notin $referenceRights + } + + if (($principalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { + $messages = @() + $messages += $principalsWithTooManyRights | ForEach-Object { + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Unexpected '$($_.IdentityReference)' with access '$mappedRights'" + } + $messages += $principalsWithWrongRights | ForEach-Object { + $idKey = $_.IdentityReference.Value + $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights + "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" + }.GetNewClosure() + + return @{ + Status = "False" + Message = $messages -join "; " + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistrySettings.ps1 new file mode 100644 index 00000000..1a1c8fec --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#RegistrySettings.ps1 @@ -0,0 +1,3444 @@ +[AuditTest] @{ + Id = "WN19-CC-000240" + Task = "Windows Server 2019 administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000010" + Task = "Windows Server 2019 must prevent the display of slide shows on the lock screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000020" + Task = "Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000020" + Task = "Windows Server 2019 must have WDigest Authentication disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000030" + Task = "Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000040" + Task = "Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000050" + Task = "Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000060" + Task = "Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000070" + Task = "Windows Server 2019 insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000090" + Task = "Windows Server 2019 command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000140" + Task = "Windows Server 2019 must be running Credential Guard on domain-joined member servers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000130" + Task = "Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 8) { + return @{ + Message = "Registry value is '$regValue'. Expected: 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000140" + Task = "Windows Server 2019 group policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000150" + Task = "Windows Server 2019 downloading print driver packages over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000160" + Task = "Windows Server 2019 printing over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000170" + Task = "Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000030" + Task = "Windows Server 2019 local users on domain-joined member servers must not be enumerated." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000180" + Task = "Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000190" + Task = "Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000040" + Task = "Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000200" + Task = "Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000210" + Task = "Windows Server 2019 Autoplay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000220" + Task = "Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000230" + Task = "Windows Server 2019 AutoPlay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000250" + Task = "Windows Server 2019 Telemetry must be configured to Security or Basic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000270" + Task = "TWindows Server 2019 Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000280" + Task = "Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000290" + Task = "Windows Server 2019 System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000300" + Task = "Windows Server 2019 Windows Defender SmartScreen must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000310" + Task = "Windows Server 2019 Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000320" + Task = "Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000330" + Task = "Windows Server 2019 File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000340" + Task = "Windows Server 2019 must not save passwords in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000350" + Task = "Windows Server 2019 Remote Desktop Services must prevent drive redirection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000360" + Task = "Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000370" + Task = "Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000380" + Task = "Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000390" + Task = "Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000400" + Task = "Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000410" + Task = "Windows Server 2019 must prevent Indexing of encrypted files." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000420" + Task = "Windows Server 2019 must prevent users from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000430" + Task = "Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000440" + Task = "Windows Server 2019 users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000450" + Task = "Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000460" + Task = "Windows Server 2019 PowerShell script block logging must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000470" + Task = "Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000480" + Task = "Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000490" + Task = "Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000500" + Task = "Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000510" + Task = "Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-CC-000520" + Task = "Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000020" + Task = "Windows Server 2019 must prevent local accounts with blank passwords from being used from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000050" + Task = "Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000320" + Task = "Windows Server 2019 domain controllers must require LDAP access signing." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000330" + Task = "Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000060" + Task = "Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000070" + Task = "Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000080" + Task = "Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000090" + Task = "Windows Server 2019 computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000100" + Task = "Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000110" + Task = "Windows Server 2019 must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000120" + Task = "Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000050" + Task = "Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if (($regValue -gt 4)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000160" + Task = "Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000170" + Task = "Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000180" + Task = "Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000190" + Task = "Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000200" + Task = "Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000220" + Task = "Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000230" + Task = "Windows Server 2019 must not allow anonymous enumeration of shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000240" + Task = "Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000250" + Task = "Windows Server 2019 must restrict anonymous access to Named Pipes and Shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000060" + Task = "Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer", "StandaloneServer" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000260" + Task = "Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000270" + Task = "Windows Server 2019 must prevent NTLM from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000280" + Task = "Windows Server 2019 must prevent PKU2U authentication using online identities." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000290" + Task = "Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000300" + Task = "Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000310" + Task = "Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000320" + Task = "Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000330" + Task = "Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000340" + Task = "Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000350" + Task = "Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000360" + Task = "Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000370" + Task = "Windows Server 2019 default permissions of global system objects must be strengthened." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000380" + Task = "Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000390" + Task = "Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000400" + Task = "Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000410" + Task = "Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000420" + Task = "Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000430" + Task = "Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000440" + Task = "Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000450" + Task = "Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-UC-000010" + Task = "Windows Server 2019 must preserve zone information when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "WN19-SO-000150" + Task = "Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "scremoveoption" ` + | Select-Object -ExpandProperty "scremoveoption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#UserRights.ps1 new file mode 100644 index 00000000..4448ec3e --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#UserRights.ps1 @@ -0,0 +1,1222 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} + +# Tests +[AuditTest] @{ + Id = "WN19-UR-000010" + Task = "Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000340" + Task = "Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and `nEnterprise Domain Controllers groups on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "Administrators" + "NT AUTHORITY\Authenticated Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000070" + Task = "Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer", "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "Administrators" + "NT AUTHORITY\Authenticated Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000020" + Task = "Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000350" + Task = "Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000030" + Task = "Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000360" + Task = "Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000040" + Task = "Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000050" + Task = "Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000060" + Task = "Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000070" + Task = "Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "Administrators" + "Service" + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000080" + Task = "Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000090" + Task = "Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000100" + Task = "Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000370" + Task = "Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000380" + Task = "Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000390" + Task = "Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000400" + Task = "Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000410" + Task = "Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-DC-000420" + Task = "Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "PrimaryDomainController" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-MS-000130" + Task = "Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer", "StandaloneServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000110" + Task = "Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000120" + Task = "Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000130" + Task = "Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "Administrators" + "Service" + "Local Service" + "Network Service" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000140" + Task = "Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000150" + Task = "Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000160" + Task = "Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000170" + Task = "Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000180" + Task = "Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000190" + Task = "Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000200" + Task = "Windows Server 2019 Profile single process user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000210" + Task = "Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-UR-000220" + Task = "Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#WindowsFeatures.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#WindowsFeatures.ps1 new file mode 100644 index 00000000..55591570 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R2#WindowsFeatures.ps1 @@ -0,0 +1,152 @@ +[AuditTest] @{ + Id = "WN19-00-000320" + Task = "Windows Server 2019 must not have the Fax Server role installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Fax").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000330" + Task = "Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Web-Ftp-Service").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000340" + Task = "Windows Server 2019 must not have the Peer Name Resolution Protocol installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "PNRP").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000350" + Task = "Windows Server 2019 must not have Simple TCP/IP Services installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Simple-TCPIP").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000360" + Task = "Windows Server 2019 must not have the Telnet Client installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "Telnet-Client").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000370" + Task = "Windows Server 2019 must not have the TFTP Client installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "TFTP-Client").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000380" + Task = "Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "FS-SMB1").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "WN19-00-000410" + Task = "Windows Server 2019 must not have Windows PowerShell 2.0 installed." + Test = { + $installState = (Get-WindowsFeature | Where-Object Name -eq "PowerShell-v2").InstallState + + if ($installState -eq "Installed") { + return @{ + Status = "False" + Message = "The feature is installed." + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/Helpers/LogFile.ps1 b/ATAPAuditor/Helpers/LogFile.ps1 new file mode 100644 index 00000000..3f6af1b2 --- /dev/null +++ b/ATAPAuditor/Helpers/LogFile.ps1 @@ -0,0 +1,94 @@ +function Set-LogFile { + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] + Param( + [Parameter(Mandatory = $true)] + [Alias('LogPath')] + [string]$Path, + [Parameter(Mandatory = $true)] + [Alias('Logname')] + [string]$Name + ) + + $FullPath = Get-FullPath $Path $Name + + # Create file if it does not already exists + if (!(Test-Path -Path $FullPath)) { + + # Create file and start logging + New-Item -Path $FullPath -ItemType File -Force | Out-Null + + Add-Content -Path $FullPath -Value "***************************************************************************************************" + Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" + Add-Content -Path $FullPath -Value "***************************************************************************************************" + Add-Content -Path $FullPath -Value "" + Add-Content -Path $FullPath -Value "" + } +} + +function Write-LogFile { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true)] + [Alias('LogMessage')] + [string]$Message, + + [Parameter(Mandatory = $true)] + [Alias('LogPath')] + [string]$Path, + + [Parameter(Mandatory = $true)] + [Alias('Logname')] + [string]$Name, + + [ValidateSet("Error", "Warning", "Info")] + [string]$Level = "Info" + ) + + + Set-LogFile $Path $Name + $FullPath = Get-FullPath $Path $Name + + # Format date for log file + $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" + + switch ($Level) { + 'Error' { + # Write-Error $Message + $LevelText = '[ERROR]:' + } + 'Warning' { + # Write-Warning $Message + $LevelText = '[WARNING]:' + } + 'Info' { + # Write-Verbose $Message + $LevelText = '[INFO]:' + } + } + Add-Content $FullPath "$FormattedDate $LevelText" + Add-Content $FullPath "$Message" + Add-Content $FullPath "--------------------------" + Add-Content $FullPath "" +} + +function Get-FullPath { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true)] + [string]$Path, + [Parameter(Mandatory = $true)] + [string]$File + ) + + $FullPath = "" + if ($Path.Length -gt 0) { + if ($Path[$Path.Length - 1] -ne "\") { + $FullPath = $Path + "\" + $File + } + else { + $FullPath = $Path + $File + } + } + + return $FullPath +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/SecurityPolicy.psm1 b/ATAPAuditor/Helpers/SecurityPolicy.psm1 new file mode 100644 index 00000000..81986383 --- /dev/null +++ b/ATAPAuditor/Helpers/SecurityPolicy.psm1 @@ -0,0 +1,28 @@ +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } +} diff --git a/ATAPAuditor/Reports/Google Chrome.ps1 b/ATAPAuditor/Reports/Google Chrome.ps1 new file mode 100644 index 00000000..dd2d5063 --- /dev/null +++ b/ATAPAuditor/Reports/Google Chrome.ps1 @@ -0,0 +1,30 @@ +[Report] @{ + Title = 'Google Chrome Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + "CIS Google Chrome Benchmark, Version: 2.0.0, Date: 2019-05-17" + "DISA Google Chrome Security Technical Implementation Guide, Version: V1R15, Date: 2019-01-28" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Recommendations" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Google Chrome-CIS-2.0.0#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Google Chrome-DISA-V1R15#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft IE11.ps1 b/ATAPAuditor/Reports/Microsoft IE11.ps1 new file mode 100644 index 00000000..18da515a --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft IE11.ps1 @@ -0,0 +1,30 @@ +[Report] @{ + Title = 'Internet Explorer 11 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + 'CIS Microsoft Internet Explorer 11 Benchmark, Version: 1.0.0, Date: 2014-12-01' + 'DISA Microsoft Internet Explorer 11 Security Technical Implementation Guide, Version: V1R15, Date: 2018-06-08' + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Recommendations" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft IE11-CIS-1.0.0#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft IE11-DISA-V1R16#RegistrySettings" + } + ) + } + ) +} diff --git a/IIS10Audit/IIS10Audit.psm1 b/ATAPAuditor/Reports/Microsoft IIS10.ps1 similarity index 80% rename from IIS10Audit/IIS10Audit.psm1 rename to ATAPAuditor/Reports/Microsoft IIS10.ps1 index faee1b3f..2a949f9c 100644 --- a/IIS10Audit/IIS10Audit.psm1 +++ b/ATAPAuditor/Reports/Microsoft IIS10.ps1 @@ -1,63 +1,9 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -<# - -Author(s): Benedikt Böhme - Dennis Esly -Date: 05/31/2018 -Last Change: 01/22/2019 - -#> - -using module ATAPHtmlReport -using namespace Microsoft.Web.Administration +using namespace Microsoft.Web.Administration using namespace Microsoft.Windows.ServerManager.Commands #region Helper Functions $MESSAGE_ALLGOOD = "All Good" -class VirtualPathAudit { - [string] $VirtualPath - [AuditInfo[]] $AuditInfos -} - -class SiteAudit { - [string] $SiteName - [AuditInfo[]] $AuditInfos - - [VirtualPathAudit[]] $VirtualPathAudits -} - function Get-IISSiteVirtualPaths { param( @@ -114,21 +60,21 @@ function Test-IISVirtualDirPartition { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $SystemDrive = [system.environment]::getenvironmentvariable("SystemDrive") $Path = $Site.Applications["/"].VirtualDirectories["/"].PhysicalPath if ($Path.StartsWith("%SystemDrive%") -or $Path.StartsWith($SystemDrive)) { $message = "Web content is on system partition" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "1.1" Task = "Ensure web content is on non-system partition" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -149,20 +95,20 @@ function Test-IISHostHeaders { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" [array]$Bindings = $Site.Bindings | Where-Object { [string]::IsNullOrEmpty($_.Host) } if ($Bindings.Count -gt 0) { $message = "The following bindings do no specify a host: " + ($Bindings.bindingInformation -join ", ") - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "1.2" Task = "Ensure 'host headers' is set" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -188,7 +134,7 @@ function Test-IISDirectoryBrowsing { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure directory browsing is installed if ((Get-WindowsFeature Web-Dir-Browsing).InstallState -eq [InstallState]::Installed) { @@ -199,19 +145,19 @@ function Test-IISDirectoryBrowsing { if ($Enabled -eq $true) { $message = "Directory Browsing is enabled" - $audit = [AuditStatus]::False + $audit = "False" } elseif ($null -eq $Enabled) { $message = "Directory Browsing not explicit set to false" - $audit = [AuditStatus]::Warning + $audit = "Warning" } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "1.3" Task = "Ensure 'directory browsing' is set to disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -236,7 +182,7 @@ function Test-IISAppPoolIdentity { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if ($AppPool.ProcessModel.IdentityType -eq [ProcessModelIdentityType]::SpecificUser) { # Get the username of the specific application @@ -244,23 +190,23 @@ function Test-IISAppPoolIdentity { if (($AppPoolUsers | Where-Object Name -eq $Username).Count -gt 1) { $message = "ApplicationPoolIdentity $Username is used for more than one ApplicationPool" - $audit = [AuditStatus]::False + $audit = "False" } else { $message = "Unique ApplicationPoolIdentity $Username is used." - $audit = [AuditStatus]::True + $audit = "True" } } elseif ($AppPool.ProcessModel.IdentityType -ne [ProcessModelIdentityType]::ApplicationPoolIdentity) { $message = "ApplicationPoolIdentity is not set" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "1.4" Task = "Ensure 'application pool identity' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -275,7 +221,7 @@ function Test-IISUniqueSiteAppPool { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $Apps = foreach ($Site in (Get-IISSite)) { foreach ($App in $Site.Applications) { @@ -292,14 +238,14 @@ function Test-IISUniqueSiteAppPool { if ($Findings.Count -gt 0) { $message = "Following sites do not have unique Application Pools: " + ($findings.Group.VirtualPath -join ", ") - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "1.5" Task = "Ensure 'unique application pools' is set for sites" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -319,7 +265,7 @@ function Test-IISAnonymouseUserIdentity { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.webServer/security/authentication/anonymousAuthentication" $section = $Configuration.GetSection($path) @@ -328,14 +274,14 @@ function Test-IISAnonymouseUserIdentity { if ($username -ne "") { $message = "Username is set to: $username" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "1.6" Task = "Ensure 'application pool identity' is configured for anonymous user identity" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -362,7 +308,7 @@ function Test-IISGlobalAuthorization { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure URL Authentication is installed if ((Get-WindowsFeature Web-Url-Auth).InstallState -eq [InstallState]::Installed) { @@ -379,19 +325,19 @@ function Test-IISGlobalAuthorization { if ($elements.Count -ne 0) { $message = "Authorization rule to allow all or anonymous users is set" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "URL Authorization is not installed" - $audit = [AuditStatus]::Warning + $audit = "Warning" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.1" Task = "Ensure 'global authorization rule' is set to restrict access" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -414,7 +360,7 @@ function Test-IISAuthenticatedPricipals { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/authentication" $section = $Configuration.GetSection($path) @@ -423,14 +369,14 @@ function Test-IISAuthenticatedPricipals { if (($mode -ne "Windows") -and ($mode -ne "Forms")) { $message = "Check authentication principals" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.2" Task = "Ensure access to sensitive site features is restricted to authenticated principals only" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -452,7 +398,7 @@ function Test-IISFormsAuthenticationSSL { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/authentication" $section = $Configuration.GetSection($path) @@ -469,20 +415,20 @@ function Test-IISFormsAuthenticationSSL { if (-not $requireSSL) { $message = "Forms authentication does not require SSL" - $audit = [AuditStatus]::False + $audit = "False" } } } else { $message = "Forms authentication is not installed" - $audit = [AuditStatus]::Warning + $audit = "Warning" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.3" Task = "Ensure 'forms authentication' require SSL" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -503,7 +449,7 @@ function Test-IISFormsAuthenticationCookies { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/authentication" $section = $Configuration.GetSection($path) @@ -517,20 +463,20 @@ function Test-IISFormsAuthenticationCookies { if ($cookieless -ne "UseCookies") { $message = "Forms authentication is not set to use cookies" - $audit = [AuditStatus]::False + $audit = "False" } } } else { $message = "Forms authentication is not installed" - $audit = [AuditStatus]::Warning + $audit = "Warning" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.4" Task = "Ensure 'forms authentication' is set to use cookies" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -553,7 +499,7 @@ function Test-IISFormsAuthenticationProtection { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/authentication" $section = $Configuration.GetSection($path) @@ -568,20 +514,20 @@ function Test-IISFormsAuthenticationProtection { if ($protection -ne "All") { $message = "Cookie Protection Mode is not set to ALL" - $audit = [AuditStatus]::False + $audit = "False" } } } else { $message = "Forms authentication is not installed" - $audit = [AuditStatus]::Warning + $audit = "Warning" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.5" Task = "Ensure 'cookie protection mode' is configured for forms authentication" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -602,7 +548,7 @@ function Test-IISTLSForBasicAuth { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if ((Get-WindowsFeature Web-Basic-Auth).InstallState -eq [InstallState]::Installed) { [array]$httpsBindings = $Site.Bindings | Where-Object -Property Protocol -eq "https" @@ -617,20 +563,20 @@ function Test-IISTLSForBasicAuth { # Ensure ssl-flag is set if (-not ($sslValues -contains "ssl")) { $message = "SSL is not required in configuration" - $audit = [AuditStatus]::False + $audit = "False" } # Ensure site has https bindings elseif ($httpsBindings.Count -eq 0) { $message = "Site has no secure protocol binding" - $audit = [AuditStatus]::False + $audit = "False" } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.6" Task = "Ensure transport layer security for 'basic authentication' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -651,7 +597,7 @@ function Test-IISPasswordFormatNotClear { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/authentication" $section = $Configuration.GetSection($path) @@ -663,14 +609,14 @@ function Test-IISPasswordFormatNotClear { if ($passwordFormat -eq "Clear" ) { $message = "Credentials passwordFormat set to 'Clear'" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.7" Task = "Ensure 'passwordFormat' is not set to clear" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -685,21 +631,21 @@ function Test-IISPasswordFormatNotClearMachineLevel { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() $passwordFormat = $machineConfig.GetSection("system.web/authentication").forms.credentials.passwordFormat if ($passwordFormat -eq "Clear" ) { $message = "Credentials passwordFormat set to 'Clear'" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.7" Task = "Ensure 'passwordFormat' is not set to clear" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -719,7 +665,7 @@ function Test-IISCredentialsNotStored { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/authentication" $section = $Configuration.GetSection($path) @@ -730,14 +676,14 @@ function Test-IISCredentialsNotStored { if ($credentials.IsLocallyStored) { $message = "'credentials' is stored in configuration" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.8" Task = "Ensure 'credentials' are not stored in configuration files" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -752,21 +698,21 @@ function Test-IISCredentialsNotStoredMachineLevel { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() $credentials = $machineConfig.GetSection("system.web/authentication").forms.credentials if ($credentials.ElementInformation.IsPresent) { $message = "'credentials' is stored in configuration" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "2.8" Task = "Ensure 'credentials' are not stored in configuration files" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -786,21 +732,21 @@ function Test-IISDeploymentMethodRetail { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() $deployment = $machineConfig.GetSection("system.web/deployment") if (-not $deployment.retail) { $message = "retail is not enabled in machine.config" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.1" Task = "Ensure 'deployment method retail' is set" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -822,7 +768,7 @@ function Test-IISDebugOff { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/compilation" $section = $Configuration.GetSection($path) @@ -831,14 +777,14 @@ function Test-IISDebugOff { if ($debug) { $message = "Debug is ON" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.2" Task = "Ensure 'debug' is turned off" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -861,7 +807,7 @@ function Test-IISCustomErrorsNotOff { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/customErrors" $section = $Configuration.GetSection($path) @@ -870,14 +816,14 @@ function Test-IISCustomErrorsNotOff { if ($mode -eq "Off") { $message = "Custom errors are 'OFF'" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.3" Task = "Ensure custom error messages are not off" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -898,7 +844,7 @@ function Test-IISHttpErrorsHidden { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.webServer/httpErrors" $section = $Configuration.GetSection($path) @@ -907,14 +853,14 @@ function Test-IISHttpErrorsHidden { if (($errorMode -ne "Custom") -and ($errorMode -ne "DetailedLocalOnly")) { $message = "HTTP detailed errors are set to 'Detailed'" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.4" Task = "Ensure IIS HTTP detailed errors are hidden from displaying remotely" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -935,7 +881,7 @@ function Test-IISAspNetTracingDisabled { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/trace" $section = $Configuration.GetSection($path) @@ -944,14 +890,14 @@ function Test-IISAspNetTracingDisabled { if ($traceEnabled) { $message = "trace is enabled" - $audit = [AuditStatus]::FALSE + $audit = "FALSE" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.5" Task = "Ensure ASP.NET stack tracing is not enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -966,21 +912,21 @@ function Test-IISAspNetTracingDisabledMachineLevel { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() $trace = $machineConfig.GetSection("system.web/trace") if ($trace.enabled) { $message = "trace is enabled in machine.config" - $audit = [AuditStatus]::FALSE + $audit = "FALSE" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.5" Task = "Ensure ASP.NET stack tracing is not enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -1002,7 +948,7 @@ function Test-IISCookielessSessionState { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/sessionState" $section = $Configuration.GetSection($path) @@ -1011,14 +957,14 @@ function Test-IISCookielessSessionState { if (($cookieless -ne "UseCookies") -and ($cookieless -ne "False")) { $message = "sessionState set to $cookieless" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.6" Task = "Ensure 'httpcookie' mode is configured for session state" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1039,7 +985,7 @@ function Test-IISCookiesHttpOnly { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.web/httpCookies" $section = $Configuration.GetSection($path) @@ -1048,14 +994,14 @@ function Test-IISCookiesHttpOnly { if (-not $httpOnlyCookie) { $message = "httpOnlyCookies set to $httpOnlyCookies" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.7" Task = "Ensure 'cookies' are set with HttpOnly attribute" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1078,7 +1024,7 @@ function Test-IISMachineKeyValidation { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $siteAppPool = $Site.Applications["/"].ApplicationPoolName $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion @@ -1092,15 +1038,15 @@ function Test-IISMachineKeyValidation { if ($validation -ne "SHA1") { $message = "Validation set to $validation" - $audit = [AuditStatus]::False + $audit = "False" } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.8" Task = "Ensure 'MachineKey validation method - .Net 3.5' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1123,7 +1069,7 @@ function Test-IISMachineKeyValidationV45 { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $siteAppPool = $site.Applications["/"].ApplicationPoolName $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion @@ -1136,15 +1082,15 @@ function Test-IISMachineKeyValidationV45 { if (($validation -ne "HMACSHA256") -and ($validation -ne "HMACSHA512")) { $message = "Validation set to $validation" - $audit = [AuditStatus]::False + $audit = "False" } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.9" Task = "Ensure 'MachineKey validation method - .Net 4.5' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1167,7 +1113,7 @@ function Test-IISDotNetTrustLevel { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $siteAppPool = $site.Applications["/"].ApplicationPoolName $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion @@ -1179,14 +1125,14 @@ function Test-IISDotNetTrustLevel { # medium trust level should be set in .NET 2.*, but not in later versions if (($appPoolVersion -like "v2.*" -and $level -ne "medium") -or $appPoolVersion -notlike "v4.*") { $message = "TrustLevel set to $level" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "3.10" Task = "Ensure global .NET trust level is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1214,7 +1160,7 @@ function Test-IISMaxAllowedContentLength { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure request filering is installed if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { @@ -1230,19 +1176,19 @@ function Test-IISMaxAllowedContentLength { } else { $message = "maxContentLength not configured" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.1" Task = "Ensure 'maxAllowedContentLength' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1263,7 +1209,7 @@ function Test-IISMaxURLRequestFilter { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure request filering is installed if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { @@ -1279,20 +1225,20 @@ function Test-IISMaxURLRequestFilter { } else { $message = "maxURLRequestFilter not configured" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.2" Task = "Ensure 'maxURL request filter' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1313,7 +1259,7 @@ function Test-IISMaxQueryStringRequestFilter { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure request filering is installed if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { @@ -1329,19 +1275,19 @@ function Test-IISMaxQueryStringRequestFilter { } else { $message = "maxQueryStringRequestFilter not configured" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.3" Task = "Ensure 'MaxQueryString request filter' is configured" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1362,7 +1308,7 @@ function Test-IISNonASCIICharURLForbidden { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure request filering is installed if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { @@ -1374,19 +1320,19 @@ function Test-IISNonASCIICharURLForbidden { if ($allowHighBitCharacters) { $message = "non-ASCII characters in URLs are allowed" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.4" Task = "Ensure non-ASCII characters in URLs are not allowed" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1406,7 +1352,7 @@ function Test-IISRejectDoubleEncodedRequests { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure request filering is installed if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { @@ -1418,19 +1364,19 @@ function Test-IISRejectDoubleEncodedRequests { if ($allowDoubleEscaping) { $message = "Rejecting Double-Encoded requests not set" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.5" Task = "Ensure Double-Encoded requests will be rejected" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1451,7 +1397,7 @@ function Test-IISHTTPTraceMethodeDisabled { process { $message = "HTTP Trace Method is not filtered" - $audit = [AuditStatus]::False + $audit = "False" # Ensure request filering is installed if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { @@ -1467,19 +1413,19 @@ function Test-IISHTTPTraceMethodeDisabled { if ($httpTraceMethod.Count -eq 1) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.6" Task = "Ensure 'HTTP Trace Method' is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1500,7 +1446,7 @@ function Test-IISBlockUnlistedFileExtensions { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { $path = "system.webServer/security/requestFiltering" @@ -1514,19 +1460,19 @@ function Test-IISBlockUnlistedFileExtensions { if ($allowUnlisted) { $message = "Unlisted file extensions allowed" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Request Filering is not installed" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.7" Task = "Ensure Unlisted File Extensions are not allowed" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1547,7 +1493,7 @@ function Test-IISHandlerDenyWrite { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "system.webServer/handlers" $section = $Configuration.GetSection($path) @@ -1556,14 +1502,14 @@ function Test-IISHandlerDenyWrite { if ((($accessPolicy -contains "Script") -or ($accessPolicy -contains "Execute")) ` -and ($accessPolicy -contains "Write")) { $message = "Handler is granted write and script/execute" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.8" Task = "Ensure Handler is not granted Write and Script/Execute" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1578,7 +1524,7 @@ function Test-IISIsapisNotAllowed { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" try { $isapiCgiRestriction = Get-IISConfigSection ` @@ -1588,19 +1534,19 @@ function Test-IISIsapisNotAllowed { # Verify that the notListedIsapisAllowed attribute in the element is set to false if ($isapiCgiRestriction) { $message = "IsapiCgiRestriction 'notListedIsapisAllowed' not set to false" - $audit = [AuditStatus]::False + $audit = "False" } } catch { $message = "Cannot get setting 'notListedIsapisAllowed' for IsapiCgiRestriction" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.9" Task = "Ensure 'notListedIsapisAllowed' is set to false" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -1614,7 +1560,7 @@ function Test-IISCgisNotAllowed { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" try { $isapiCgiRestriction = Get-IISConfigSection ` @@ -1624,19 +1570,19 @@ function Test-IISCgisNotAllowed { # Verify that the notListedCgisAllowed attribute in the element is set to false if ($isapiCgiRestriction) { $message = "IsapiCgiRestriction 'notListedCgisAllowed' not set to false" - $audit = [AuditStatus]::False + $audit = "False" } } catch { $message = "Cannot get setting 'notListedCgisAllowed' for IsapiCgiRestriction" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.10" Task = "Ensure 'notListedCgisAllowed' is set to false" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -1656,12 +1602,12 @@ function Test-IISDynamicIPRestrictionEnabled { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" # Ensure the windows feature is installed if ((Get-WindowsFeature Web-Ip-Security).InstallState -ne [InstallState]::Installed) { $message = "`"IP and Domain Restrictions`" must be installed to enabled `"Dynamic IP Address Restrictions`"" - $audit = [AuditStatus]::False + $audit = "False" } else { $dynamicIpSecurity = Get-IISConfigSection -Location $Site.Name ` @@ -1677,23 +1623,23 @@ function Test-IISDynamicIPRestrictionEnabled { if ($denyByConcurrentRequests -and -not $denyByRequestRate) { $message = "Deny IP Address based on the number of requests over a period of time disabled" - $audit = [AuditStatus]::False + $audit = "False" } elseif (-not $denyByConcurrentRequests -and $denyByRequestRate) { $message = "Deny IP Address based on the number of concurrent requests disabled" - $audit = [AuditStatus]::False + $audit = "False" } elseif (-not $denyByConcurrentRequests -and -not $denyByRequestRate) { $message = "Dynamic IP Restriction disabled" - $audit = [AuditStatus]::False + $audit = "False" } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "4.11" Task = "Ensure 'Dynamic IP Address Restrictions' is enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1722,18 +1668,18 @@ function Test-IISLogFileLocation { $logFileLocation = ($Site.logFile.Directory).replace("%SystemDrive%", $env:SystemDrive) $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if ($logFileLocation.StartsWith($env:SystemDrive)) { $message = "Logfile location is on system drive: $logFileLocation" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "5.1" Task = "Ensure Default IIS web log location is moved" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1749,11 +1695,11 @@ function Test-IISAdvancedLoggingEnabled { # check site defaults - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "5.2" Task = "Ensure Advanced IIS logging is enabled" + Status = "None" Message = "Advanced Logging is not available for IIS 10. See enhanced logging instead." - Audit = [AuditStatus]::None } | Write-Output } @@ -1773,18 +1719,18 @@ function Test-IISETWLoggingEnabled { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if (-not ($Site.logFile.logTargetW3C -like "*ETW*")) { $message = "ETW Logging disabled" - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "5.3" Task = "Ensure 'ETW Logging' is enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1811,20 +1757,20 @@ function Test-IISFtpIsDisabled { process { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" [array]$ftpBindings = $Site.Bindings | Where-Object -Property Protocol -eq FTP if ($ftpBindings.Count -gt 0 -or (Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { $message = "FTP is not disabled. FTP is using bindings and/or is at least installed." - $audit = [AuditStatus]::False + $audit = "False" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "6.0" Task = "Ensure FTP is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } } @@ -1839,7 +1785,7 @@ function Test-IISFtpRequestsEncrypted { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if ((Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { try { @@ -1858,24 +1804,24 @@ function Test-IISFtpRequestsEncrypted { if (($controlChannelPolicy -ne "SslRequire") -or ($dataChannelPolicy -ne "SslRequire")) { $message = "Found following settings: `n controlChannelPolicy: $controlChannelPolicy `n dataChannelPolicy: $dataChannelPolicy" - $audit = [AuditStatus]::False + $audit = "False" } } catch { $message = "Cannot get FTP security setting" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "Skipped this benchmark - right now Web-Ftp-Server is not installed" - $audit = [AuditStatus]::None + $audit = "None" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "6.1" Task = "Ensure FTP requests are encrypted" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -1889,7 +1835,7 @@ function Test-IISFtpLogonAttemptRestriction { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" if ((Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { try { @@ -1911,31 +1857,31 @@ function Test-IISFtpLogonAttemptRestriction { } elseif (-not $enabled ) { $message = "Feature disabled" - $audit = [AuditStatus]::False + $audit = "False" } else { $message = "Feature enabled, but check settings. Found: `n maxFailure: " ` + $maxFailure + "`n entryExpiration: " ` + $entryExpiration + "`n Only logging mode: " ` + $loggingOnlyMode - $audit = [AuditStatus]::False + $audit = "False" } } catch { - $audit = [AuditStatus]::False + $audit = "False" $message = "Cannot get FTP Logon attempt settings" } } else { $message = "Skipped this benchmark - right now Web-Ftp-Server is not installed" - $audit = [AuditStatus]::None + $audit = "None" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "6.2" Task = "Ensure FTP Logon attempt restrictions is enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -1961,7 +1907,7 @@ function Test-IISHSTSHeaderSet { process { $message = "HSTS Header not set" - $audit = [AuditStatus]::False + $audit = "False" $path = "system.webServer/httpProtocol" $section = $Configuration.GetSection($path) @@ -1981,24 +1927,24 @@ function Test-IISHSTSHeaderSet { [int]$maxAge = $match.Groups["maxage"].Value if ($maxAge -eq 0) { $message = "Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at $maxAge" - $audit = [AuditStatus]::False + $audit = "False" } elseif ($maxAge -lt 480) { $message = "It is recommended to set max-age to at least 480 seconds. Max-age is set at $maxAge" - $audit = [AuditStatus]::Warning + $audit = "Warning" } else { $message = $MESSAGE_ALLGOOD + ". Max-age is set at $maxAge" - $audit = [AuditStatus]::True + $audit = "True" } } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.1" Task = "Ensure HSTS Header is set" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2014,7 +1960,7 @@ function Test-IISSSL2Disabled { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0" @@ -2028,16 +1974,16 @@ function Test-IISSSL2Disabled { # Ensure it is set to 0 if ($value -ne 0) { $message = "SSL 2.0 is enabled" - $audit = [AuditStatus]::False + $audit = "False" } } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.2" Task = "Ensure SSLv2 is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2051,7 +1997,7 @@ function Test-IISSSL3Disabled { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0" @@ -2065,16 +2011,16 @@ function Test-IISSSL3Disabled { # Ensure it is set to 0 if ($value -ne 0) { $message = "SSL 3.0 is enabled" - $audit = [AuditStatus]::False + $audit = "False" } } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.3" Task = "Ensure SSLv3 is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2090,7 +2036,7 @@ function Test-IISTLSDisabled { #> $message = "TLS 1.0 not disabled" - $audit = [AuditStatus]::False + $audit = "False" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" @@ -2103,7 +2049,7 @@ function Test-IISTLSDisabled { # Ensure it is set to 0 if ($value -eq 0) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } elseif ($null -ne $Key.GetValue("DisabledByDefault", $null)) { @@ -2111,16 +2057,16 @@ function Test-IISTLSDisabled { # Ensure it is set to 1 if ($value -eq 1) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.4" Task = "Ensure TLS 1.0 is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2134,7 +2080,7 @@ function Test-IISTLS1_1Enabled { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" @@ -2148,16 +2094,16 @@ function Test-IISTLS1_1Enabled { # Ensure it is enabled if ($value -eq 0) { $message = "TLS 1.1 disabled" - $audit = [AuditStatus]::False + $audit = "False" } } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.5" Task = "Ensure TLS 1.1 is enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2171,7 +2117,7 @@ function Test-IISTLS1_2Enabled { #> $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" @@ -2184,12 +2130,12 @@ function Test-IISTLS1_2Enabled { $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" if ($value -ne 1) { $message = "TLS 1.2 is disabled" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "TLS 1.2 is disabled" - $audit = [AuditStatus]::False + $audit = "False" } if ($null -ne $Key.GetValue("DisabledByDefault", $null)) { @@ -2197,20 +2143,20 @@ function Test-IISTLS1_2Enabled { $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "DisabledByDefault" if ($value -ne 0) { $message = "TLS 1.2 is disabled by default" - $audit = [AuditStatus]::False + $audit = "False" } } else { $message = "TLS 1.2 is disabled" - $audit = [AuditStatus]::False + $audit = "False" } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.6" Task = "Ensure TLS 1.2 is enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2224,7 +2170,7 @@ function Test-IISNullCipherDisabled { #> $message = "NULL cipher is enabled" - $audit = [AuditStatus]::False + $audit = "False" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\" @@ -2234,20 +2180,20 @@ function Test-IISNullCipherDisabled { $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" if ($value -eq 0) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } } else { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.7" Task = "Ensure NULL Cipher Suites is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2261,7 +2207,7 @@ function Test-IISDESCipherDisabled { #> $message = "DES cipher is enabled" - $audit = [AuditStatus]::False + $audit = "False" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56\" @@ -2271,20 +2217,20 @@ function Test-IISDESCipherDisabled { $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" if ($value -eq 0) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } } else { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.8" Task = "Ensure DES Cipher Suites is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2302,7 +2248,7 @@ function Test-IISRC4CipherDisabled { $index = 1 foreach ($rc4Cipher in $rc4Ciphers) { $message = "$rc4Cipher cipher is enabled" - $audit = [AuditStatus]::False + $audit = "False" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$rc4Cipher\" @@ -2312,20 +2258,20 @@ function Test-IISRC4CipherDisabled { $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" if ($value -eq 0) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } } else { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.9.$index" Task = "Ensure RC4 Cipher Suites is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output $index++ @@ -2342,7 +2288,7 @@ function Test-IISAES128Disabled { #> $message = "AES 128/128 Cipher Suite is still enabled" - $audit = [AuditStatus]::False + $audit = "False" try { # Get-ItemProperty returns a [UInt32] @@ -2353,7 +2299,7 @@ function Test-IISAES128Disabled { if ($enabled -eq 0) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } @@ -2363,11 +2309,11 @@ function Test-IISAES128Disabled { # If the key/value is not present,Triple AES 128/128 Cipher is disabled - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.10" Task = "Ensure AES 128/128 Cipher Suite is disabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2381,7 +2327,7 @@ function Test-IISAES256Enabled { #> $message = "AES 256/256 Cipher is disabled" - $audit = [AuditStatus]::False + $audit = "False" $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256\" @@ -2391,20 +2337,20 @@ function Test-IISAES256Enabled { $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" if ($value -eq 1) { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } } } else { $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True + $audit = "True" } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.11" Task = "Ensure AES 256/256 Cipher Suite is enabled" + Status = $audit Message = $message - Audit = $audit } | Write-Output } @@ -2429,10 +2375,10 @@ function Test-IISTLSCipherOrder { ) $message1 = "TLS Cipher Suite ordering does not match reference" - $audit1 = [AuditStatus]::False + $audit1 = "False" $message2 = "TLS Cipher Suite contains more ciphers" - $audit2 = [AuditStatus]::False + $audit2 = "False" $path = "HKLM:\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\" @@ -2443,7 +2389,7 @@ function Test-IISTLSCipherOrder { if ($cipherList.Count -ge $functions.Count) { $message2 = $MESSAGE_ALLGOOD - $audit2 = [AuditStatus]::True + $audit2 = "True" $equalOrdering = [System.Linq.Enumerable]::Zip($cipherList, $functions, ` [Func[String, String, Boolean]] { @@ -2453,25 +2399,25 @@ function Test-IISTLSCipherOrder { if (-not ($equalOrdering -contains $false)) { $message1 = $MESSAGE_ALLGOOD - $audit1 = [AuditStatus]::True + $audit1 = "True" } } } } - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.12.1" Task = "Ensure TLS Cipher Suite ordering is correctly configured" + Status = $audit1 Message = $message1 - Audit = $audit1 } | Write-Output - New-Object -TypeName AuditInfo -Property @{ + @{ Id = "7.12.2" Task = "Ensure TLS Cipher Suite does not contain more ciphers" + Status = $audit2 Message = $message2 - Audit = $audit2 } | Write-Output } @@ -2519,141 +2465,129 @@ function Get-IIS10SystemReport { function Get-IIS10ApplicationHostReport { $Configuration = (Get-IISServerManager).GetApplicationHostConfiguration() - $ApplicationHostAuditInfos = @() - # Section 1 - $ApplicationHostAuditInfos += $Configuration | Test-IISDirectoryBrowsing - $ApplicationHostAuditInfos += $Configuration | Test-IISAnonymouseUserIdentity + $Configuration | Test-IISDirectoryBrowsing + $Configuration | Test-IISAnonymouseUserIdentity # Section 2 - $ApplicationHostAuditInfos += $Configuration | Test-IISGlobalAuthorization - $ApplicationHostAuditInfos += $Configuration | Test-IISAuthenticatedPricipals - $ApplicationHostAuditInfos += $Configuration | Test-IISFormsAuthenticationSSL - $ApplicationHostAuditInfos += $Configuration | Test-IISFormsAuthenticationCookies - $ApplicationHostAuditInfos += $Configuration | Test-IISFormsAuthenticationProtection - $ApplicationHostAuditInfos += $Configuration | Test-IISPasswordFormatNotClear - $ApplicationHostAuditInfos += $Configuration | Test-IISCredentialsNotStored + $Configuration | Test-IISGlobalAuthorization + $Configuration | Test-IISAuthenticatedPricipals + $Configuration | Test-IISFormsAuthenticationSSL + $Configuration | Test-IISFormsAuthenticationCookies + $Configuration | Test-IISFormsAuthenticationProtection + $Configuration | Test-IISPasswordFormatNotClear + $Configuration | Test-IISCredentialsNotStored # Section 3 - $ApplicationHostAuditInfos += $Configuration | Test-IISDebugOff - $ApplicationHostAuditInfos += $Configuration | Test-IISCustomErrorsNotOff - $ApplicationHostAuditInfos += $Configuration | Test-IISHttpErrorsHidden - $ApplicationHostAuditInfos += $Configuration | Test-IISAspNetTracingDisabled - $ApplicationHostAuditInfos += $Configuration | Test-IISCookielessSessionState - $ApplicationHostAuditInfos += $Configuration | Test-IISCookiesHttpOnly + $Configuration | Test-IISDebugOff + $Configuration | Test-IISCustomErrorsNotOff + $Configuration | Test-IISHttpErrorsHidden + $Configuration | Test-IISAspNetTracingDisabled + $Configuration | Test-IISCookielessSessionState + $Configuration | Test-IISCookiesHttpOnly # Section 4 - $ApplicationHostAuditInfos += $Configuration | Test-IISMaxAllowedContentLength - $ApplicationHostAuditInfos += $Configuration | Test-IISMaxURLRequestFilter - $ApplicationHostAuditInfos += $Configuration | Test-IISMaxQueryStringRequestFilter - $ApplicationHostAuditInfos += $Configuration | Test-IISNonASCIICharURLForbidden - $ApplicationHostAuditInfos += $Configuration | Test-IISRejectDoubleEncodedRequests - $ApplicationHostAuditInfos += $Configuration | Test-IISHTTPTraceMethodeDisabled - $ApplicationHostAuditInfos += $Configuration | Test-IISBlockUnlistedFileExtensions - $ApplicationHostAuditInfos += $Configuration | Test-IISHandlerDenyWrite + $Configuration | Test-IISMaxAllowedContentLength + $Configuration | Test-IISMaxURLRequestFilter + $Configuration | Test-IISMaxQueryStringRequestFilter + $Configuration | Test-IISNonASCIICharURLForbidden + $Configuration | Test-IISRejectDoubleEncodedRequests + $Configuration | Test-IISHTTPTraceMethodeDisabled + $Configuration | Test-IISBlockUnlistedFileExtensions + $Configuration | Test-IISHandlerDenyWrite # Section 5 # Section 6 # Section 7 - $ApplicationHostAuditInfos += $Configuration | Test-IISHSTSHeaderSet + $Configuration | Test-IISHSTSHeaderSet - Write-Output $ApplicationHostAuditInfos } -function Get-IIS10SiteReport { +function Get-VirtualPathAudit { + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] + $Configuration + ) + + process { + # Section 1 + $Configuration | Test-IISDirectoryBrowsing + $Configuration | Test-IISAnonymouseUserIdentity + + # Section 2 + $Configuration | Test-IISGlobalAuthorization + $Configuration | Test-IISAuthenticatedPricipals + $Configuration | Test-IISFormsAuthenticationSSL + $Configuration | Test-IISFormsAuthenticationCookies + $Configuration | Test-IISFormsAuthenticationProtection + $Configuration | Test-IISPasswordFormatNotClear + $Configuration | Test-IISCredentialsNotStored + + # Section 3 + $Configuration | Test-IISDebugOff + $Configuration | Test-IISCustomErrorsNotOff + $Configuration | Test-IISHttpErrorsHidden + $Configuration | Test-IISAspNetTracingDisabled + $Configuration | Test-IISCookielessSessionState + $Configuration | Test-IISCookiesHttpOnly + # Section 4 + $Configuration | Test-IISMaxAllowedContentLength + $Configuration | Test-IISMaxURLRequestFilter + $Configuration | Test-IISMaxQueryStringRequestFilter + $Configuration | Test-IISNonASCIICharURLForbidden + $Configuration | Test-IISRejectDoubleEncodedRequests + $Configuration | Test-IISHTTPTraceMethodeDisabled + $Configuration | Test-IISBlockUnlistedFileExtensions + $Configuration | Test-IISHandlerDenyWrite + + # Section 5 + + # Section 6 + + # Section 7 + $Configuration | Test-IISHSTSHeaderSet + } +} + +function Get-SiteAudit { param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site + [Site] + $Site ) process { $AppPools = $Site.Applications.ApplicationPoolName | Sort-Object | Get-Unique | Get-IISAppPool - $AuditInfos = @() - # Section 1 - $AuditInfos += $Site | Test-IISVirtualDirPartition - $AuditInfos += $Site | Test-IISHostHeaders - $AuditInfos += $AppPools | Test-IISAppPoolIdentity + $Site | Test-IISVirtualDirPartition + $Site | Test-IISHostHeaders + $AppPools | Test-IISAppPoolIdentity # Section 2 - $AuditInfos += $Site | Test-IISTLSForBasicAuth + $Site | Test-IISTLSForBasicAuth # Section 3 - $AuditInfos += $Site | Test-IISMachineKeyValidation - $AuditInfos += $Site | Test-IISMachineKeyValidationV45 - $AuditInfos += $Site | Test-IISDotNetTrustLevel + $Site | Test-IISMachineKeyValidation + $Site | Test-IISMachineKeyValidationV45 + $Site | Test-IISDotNetTrustLevel # Section 4 - $AuditInfos += $Site | Test-IISDynamicIPRestrictionEnabled + $Site | Test-IISDynamicIPRestrictionEnabled # Section 5 - $AuditInfos += $Site | Test-IISLogFileLocation - $AuditInfos += $Site | Test-IISETWLoggingEnabled + $Site | Test-IISLogFileLocation + $Site | Test-IISETWLoggingEnabled # Section 6 - $AuditInfos += $Site | Test-IISFtpIsDisabled + $Site | Test-IISFtpIsDisabled # Section 7 - $VirtualPaths = $Site | Get-IISSiteVirtualPaths -AllVirtualDirectories - $VirtualPathAudits = foreach ($VirtualPath in $VirtualPaths) { - $Configuration = (Get-IISServerManager).GetWebConfiguration($Site.Name, $VirtualPath) - $VirtualPathAuditInfos = @() - - # Section 1 - $VirtualPathAuditInfos += $Configuration | Test-IISDirectoryBrowsing - $VirtualPathAuditInfos += $Configuration | Test-IISAnonymouseUserIdentity - - # Section 2 - $VirtualPathAuditInfos += $Configuration | Test-IISGlobalAuthorization - $VirtualPathAuditInfos += $Configuration | Test-IISAuthenticatedPricipals - $VirtualPathAuditInfos += $Configuration | Test-IISFormsAuthenticationSSL - $VirtualPathAuditInfos += $Configuration | Test-IISFormsAuthenticationCookies - $VirtualPathAuditInfos += $Configuration | Test-IISFormsAuthenticationProtection - $VirtualPathAuditInfos += $Configuration | Test-IISPasswordFormatNotClear - $VirtualPathAuditInfos += $Configuration | Test-IISCredentialsNotStored - - # Section 3 - $VirtualPathAuditInfos += $Configuration | Test-IISDebugOff - $VirtualPathAuditInfos += $Configuration | Test-IISCustomErrorsNotOff - $VirtualPathAuditInfos += $Configuration | Test-IISHttpErrorsHidden - $VirtualPathAuditInfos += $Configuration | Test-IISAspNetTracingDisabled - $VirtualPathAuditInfos += $Configuration | Test-IISCookielessSessionState - $VirtualPathAuditInfos += $Configuration | Test-IISCookiesHttpOnly - - # Section 4 - $VirtualPathAuditInfos += $Configuration | Test-IISMaxAllowedContentLength - $VirtualPathAuditInfos += $Configuration | Test-IISMaxURLRequestFilter - $VirtualPathAuditInfos += $Configuration | Test-IISMaxQueryStringRequestFilter - $VirtualPathAuditInfos += $Configuration | Test-IISNonASCIICharURLForbidden - $VirtualPathAuditInfos += $Configuration | Test-IISRejectDoubleEncodedRequests - $VirtualPathAuditInfos += $Configuration | Test-IISHTTPTraceMethodeDisabled - $VirtualPathAuditInfos += $Configuration | Test-IISBlockUnlistedFileExtensions - $VirtualPathAuditInfos += $Configuration | Test-IISHandlerDenyWrite - - # Section 5 - - # Section 6 - - # Section 7 - $VirtualPathAuditInfos += $Configuration | Test-IISHSTSHeaderSet - - New-Object -TypeName VirtualPathAudit -Property @{ - VirtualPath = $VirtualPath - AuditInfos = $VirtualPathAuditInfos - } - } - - New-Object -TypeName SiteAudit -Property @{ - SiteName = $Site.Name - AuditInfos = $AuditInfos - - VirtualPathAudits = $VirtualPathAudits - } } } @@ -2673,68 +2607,38 @@ function Get-IISHostInformation { } } -function Get-IIS10HtmlReport { - <# - .Synopsis - Generates an audit report in an html file. - .Description - The `Get-IIS10HtmlReport` cmdlet collects by default data from the current machine to generate an audit report. - - It is also possible to pass your own data to the cmdlet from which it generates the report. To do this, use the parameter `SystemAuditInfos` and `SiteAudits`. - .Parameter Path - Specifies the relative path to the file in which the report will be stored. - .Example - C:\PS> Get-IIS10HtmlReport -Path "MyReport.html" - #> - - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string] $Path, - - [AuditInfo[]] $SystemAuditInfos = (Get-IIS10SystemReport), - - [AuditInfo[]] $ApplicationHostInfos = (Get-IIS10ApplicationHostReport), - - [SiteAudit[]] $SiteAudits = (Get-IISSite | Get-IIS10SiteReport), - - [switch] $DarkMode - ) - - [hashtable[]]$reportSections = @() - - $reportSections += @{ - Title = "System Report" - AuditInfos = $SystemAuditInfos - } +[Report] @{ + Title = "IIS 10 Benchmarks" + ModuleName = "ATAPAuditor" + BasedOn = "CIS Microsoft IIS 10 Benchmark, Version: 1.1.0, Date: 12-11-2018" + HostInformation = Get-IISHostInformation + Sections = @( + [ReportSection] @{ + Title = "System Report" + AuditInfos = Get-IIS10SystemReport + } + [ReportSection] @{ + Title = "ApplicationHost" + AuditInfos = Get-IIS10ApplicationHostReport + } + foreach ($Site in Get-IISSite) { + $VirtualPaths = $Site | Get-IISSiteVirtualPaths -AllVirtualDirectories - $reportSections += @{ - Title = "ApplicationHost" - AuditInfos = $ApplicationHostInfos - } + [ReportSection] @{ + Title = "Full site report for: $($Site.Name)" + AuditInfos = $Site | Get-SiteAudit + SubSections = @( + foreach ($VirtualPath in $VirtualPaths) { + $Configuration = (Get-IISServerManager).GetWebConfiguration($Site.Name, $VirtualPath) - foreach ($SiteAudit in $SiteAudits) { - [hashtable[]]$virtualPathReports = foreach ($VirtualPathAudit in $SiteAudit.VirtualPathAudits) { - @{ - Title = "Report for: $($VirtualPathAudit.VirtualPath)" - AuditInfos = $VirtualPathAudit.AuditInfos + [ReportSection]@{ + Title = "Report for: $VirtualPath" + AuditInfos = $Configuration | Get-VirtualPathAudit + } + } + ) } } - - $reportSections += @{ - Title = "Full site report for: $($SiteAudit.SiteName)" - AuditInfos = $SiteAudit.AuditInfos - SubSections = $virtualPathReports - } - } - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "IIS 10 Benchmarks" ` - -ModuleName "IIS10Audit" ` - -BasedOn "CIS Microsoft IIS 10 Benchmark v1.1.0 - 12-11-2018" ` - -HostInformation (Get-IISHostInformation) ` - -Sections $reportSections ` - -DarkMode:$DarkMode + ) } #endregion \ No newline at end of file diff --git a/ATAPAuditor/Reports/Microsoft Office 2016 Excel.ps1 b/ATAPAuditor/Reports/Microsoft Office 2016 Excel.ps1 new file mode 100644 index 00000000..fbc20073 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office 2016 Excel.ps1 @@ -0,0 +1,17 @@ +[Report] @{ + Title = 'Microsoft Excel 2016 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = 'DISA Microsoft Excel 2016 Security Technical Implementation Guide, Version: V1R2, Date: 2017-10-27' + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 Excel-DISA-V1R2#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Office 2016 Outlook.ps1 b/ATAPAuditor/Reports/Microsoft Office 2016 Outlook.ps1 new file mode 100644 index 00000000..730be5f4 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office 2016 Outlook.ps1 @@ -0,0 +1,17 @@ +[Report] @{ + Title = 'Microsoft Outlook 2016 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = 'DISA Microsoft Outlook 2016 Security Technical Implementation Guide, Version: V1R2, Date: 2017-07-28' + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 Outlook-DISA-V1R2#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Office 2016 PowerPoint.ps1 b/ATAPAuditor/Reports/Microsoft Office 2016 PowerPoint.ps1 new file mode 100644 index 00000000..361b2487 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office 2016 PowerPoint.ps1 @@ -0,0 +1,17 @@ +[Report] @{ + Title = 'Microsoft PowerPoint 2016 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = 'DISA Microsoft Powerpoint 2016 Security Technical Implementation Guide, Version: V1R1, Date: 2016-11-14' + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 PowerPoint-DISA-V1R1#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Office 2016 SkypeForBusiness.ps1 b/ATAPAuditor/Reports/Microsoft Office 2016 SkypeForBusiness.ps1 new file mode 100644 index 00000000..817326f8 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office 2016 SkypeForBusiness.ps1 @@ -0,0 +1,17 @@ +[Report] @{ + Title = 'Microsoft Skype for Business 2016 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = 'DISA Microsoft Skype for Business 2016 Security Technical Implementation Guide, Version: V1R1, Date: 2016-11-14' + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 SkypeForBusiness-DISA-V1R1#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Office 2016 Word.ps1 b/ATAPAuditor/Reports/Microsoft Office 2016 Word.ps1 new file mode 100644 index 00000000..d9a7c945 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office 2016 Word.ps1 @@ -0,0 +1,17 @@ +[Report] @{ + Title = 'Microsoft Word 2016 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = 'DISA Microsoft Word 2016 Security Technical Implementation Guide, Version: V1R1, Date: 2016-11-14' + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 Word-DISA-V1R1#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Office 2016.ps1 b/ATAPAuditor/Reports/Microsoft Office 2016.ps1 new file mode 100644 index 00000000..a3e0f40c --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office 2016.ps1 @@ -0,0 +1,33 @@ +[Report] @{ + Title = 'Microsoft Office 2016 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + 'DISA Microsoft Excel 2016 Security Technical Implementation Guide, Version: V1R2, Date: 2017-10-27' + 'DISA Microsoft Outlook 2016 Security Technical Implementation Guide, Version: V1R2, Date: 2017-07-28' + 'DISA Microsoft Powerpoint 2016 Security Technical Implementation Guide, Version: V1R1, Date: 2016-11-14' + 'DISA Microsoft Skype for Business 2016 Security Technical Implementation, Version: Guide V1R1, Date: 2016-11-14' + 'DISA Microsoft Word 2016 Security Technical Implementation Guide, Version: V1R1, Date: 2016-11-14' + ) + Sections = @( + [ReportSection] @{ + Title = "Microsoft Excel 2016 DISA Recommendations" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 Excel-DISA-V1R2#RegistrySettings" + } + [ReportSection] @{ + Title = "Microsoft Outlook 2016 DISA Recommendations" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 Outlook-DISA-V1R2#RegistrySettings" + } + [ReportSection] @{ + Title = "Microsoft PowerPoint 2016 DISA Recommendations" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 PowerPoint-DISA-V1R1#RegistrySettings" + } + [ReportSection] @{ + Title = "Microsoft Skype for Business 2016 DISA Recommendations" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 SkypeForBusiness-DISA-V1R1#RegistrySettings" + } + [ReportSection] @{ + Title = "Microsoft Word 2016 DISA Recommendations" + AuditInfos = Test-AuditGroup "Microsoft Office 2016 Word-DISA-V1R1#RegistrySettings" + } + ) +} diff --git a/SQL2016Benchmarks/SQL2016Benchmarks.psm1 b/ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 similarity index 85% rename from SQL2016Benchmarks/SQL2016Benchmarks.psm1 rename to ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 index 6c23d6bf..aeab8d07 100644 --- a/SQL2016Benchmarks/SQL2016Benchmarks.psm1 +++ b/ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 @@ -1,61 +1,23 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -<# - - Author(s): Dennis Esly, Peter Maier - Date: 01/22/2018 - Last change: 01/23/2018 - -#> -using module ATAPHtmlReport - - -if (get-module -ListAvailable SQLServer) { -Import-Module SQLServer -Force -ErrorAction SilentlyContinue -}elseif (get-module -ListAvailable SQLPS) { - Import-Module SQLPS -Force -ErrorAction SilentlyContinue +[CmdletBinding(DefaultParameterSetName = "Default")] +param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] + $SqlInstance, + + [string] + $MachineName = $env:COMPUTERNAME, + + [Parameter(Mandatory = $true, ParameterSetName = "ByAuditInfo")] + [Hashtable[]] + $InstanceAudits +) + +if (get-module -ListAvailable SQLPS) { + Import-Module SQLPS -Force +} +elseif (get-module -ListAvailable SQLServer) { + Import-Module SQLServer -Force } - - -# Load settings from setting file -#$ConfigFile = Import-LocalizedData -FileName Settings.psd1 - - -# Set the path and name of standard log file to path and name configured in settings -#$LogPath = $ConfigFile.Settings.LogFilePath -#$LogName = (Get-date -Format "yyyyMMdd")+"_"+$ConfigFile.Settings.LogFileName - - # CIS Microsoft SQL Server 2016 Benchmark # v1.0.0 - 08-11-2017 @@ -122,16 +84,16 @@ function Test-SQLAdHocDistributedQueriesDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + ",`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -174,16 +136,16 @@ function Test-SQLClrEnabled { } if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -227,16 +189,16 @@ function Test-SQLCrossDBOwnershipDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -280,16 +242,16 @@ function Test-SQLDatabaseMailXPsDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -334,16 +296,16 @@ function Test-SQLOleAutomationProceduresDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -387,16 +349,16 @@ function Test-SQLRemoteAccessDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use: " + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -443,16 +405,16 @@ function Test-SQLRemoteAdminConnectionsDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -496,16 +458,16 @@ function Test-SQLScanForStartupProcsDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -549,16 +511,16 @@ function Test-SQLTrustworthyDatabaseOff { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { - $obj | Add-Member NoteProperty Status("Found: " + $sqlResult.name) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Status("Found $sqlResult.name") + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -608,24 +570,24 @@ function Test-SQLServerProtocolsDisabled { if ($foundProtocols.Count -eq 0) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } elseif ($foundProtocols.Count -eq 1) { $obj | Add-Member NoteProperty Status("Only one Protocol is enabled: " + $s) - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } elseif ($foundProtocols.Count -eq 2) { $obj | Add-Member NoteProperty Status("Following protocols are enabled: " + $s) - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } else { $obj | Add-Member NoteProperty Status("Following protocols are enabled: " + $s) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Mangement.Automation.MethodInvocationException] { $obj | Add-Member NoteProperty Status("MachineName not found or sqlInstance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -645,7 +607,7 @@ function Test-SQLUseNonStandardPorts { #> [CmdletBinding(DefaultParameterSetName = "Default")] param( - [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [Parameter(Mandatory = $true, ParameterSetName = "By Instance")] [string] $SqlInstance, [string] $MachineName = $env:COMPUTERNAME, @@ -676,16 +638,16 @@ function Test-SQLUseNonStandardPorts { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("TCP port 1433 in use") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -735,16 +697,16 @@ function Test-SQLHideInstanceEnabled { if ( $sqlResult.Hide_Instance -eq 1 ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Instance not hidden") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -788,16 +750,16 @@ function Test-SQLSaLoginAccountDisabled { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("SA Login Account enabled") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -841,16 +803,16 @@ function Test-SQLSaLoginAccountRenamed { if ($sqlResult.name -ne "sa") { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("SA Login Account not renamed") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -894,16 +856,16 @@ function Test-SQLXpCommandShellDisabled { if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -949,16 +911,16 @@ function Test-SQLAutoCloseOff { if ( $null -eq $sqlResult.name) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("AUTO_CLOSE not set to OFF") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1002,16 +964,16 @@ function Test-SQLNoSaAccounnt { if ( $null -eq $sqlResult.name) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found login with name 'sa'") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1061,20 +1023,20 @@ function Test-SQLServerAuthentication { if ( $sqlResult.login_mode -eq 1 ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } elseif ( $sqlResult.login_mode -eq 0 ) { $obj | Add-Member NoteProperty Status("Login mode set to Mixed Mode Authentication") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } else { $obj | Add-Member NoteProperty Status("An unknown error occured") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1142,16 +1104,16 @@ function Test-SQLGuestPermissionOnDatabases { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Got $sqlResult") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -1163,7 +1125,7 @@ function Test-SQLGuestPermissionOnDatabases { $obj | Add-Member NoteProperty ID("3.2") $obj | Add-Member NoteProperty Task("Ensure CONNECT permissions on the 'guest' user is revoked for database $database") $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") Write-Output $obj } } @@ -1220,16 +1182,16 @@ function Test-SQLDropOrphanedUsers { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Got $sqlResult") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -1242,7 +1204,7 @@ function Test-SQLDropOrphanedUsers { $obj | Add-Member NoteProperty ID("3.3") $obj | Add-Member NoteProperty Task("Ensure 'Orphaned Users' are dropped for database $database") $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") Write-Output $obj } } @@ -1279,10 +1241,10 @@ function Test-SQLAuthenticationDisabled { if ($databases.Count -eq 0) { $obj = New-Object PSObject - $obj | Add-Member NoteProperty ID("3.4") - $obj | Add-Member NoteProperty Task("Ensure SQL Authentication is not used in contained databases") + $obj | Add-Member NoteProperty ID("7.1") + $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases") $obj | Add-Member NoteProperty Status("No databases found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") Write-Output $obj } @@ -1313,16 +1275,16 @@ function Test-SQLAuthenticationDisabled { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Got $sqlResult") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -1335,7 +1297,7 @@ function Test-SQLAuthenticationDisabled { $obj | Add-Member NoteProperty ID("3.4") $obj | Add-Member NoteProperty Task("Ensure CONNECT permissions on the 'guest' user is revoked for database $database") $obj | Add-Member NoteProperty Status("Ensure SQL Authentication is not used for database $database") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") Write-Output $obj } } @@ -1343,11 +1305,11 @@ function Test-SQLAuthenticationDisabled { function Test-SQLServerServiceAccountIsNotAnAdministrator { <# .Synopsis - Ensure the SQL Server’s MSSQL Service Account is Not an Administrator. + Ensure the SQL Server’s MSSQL Service Account is Not an Administrator .DESCRIPTION CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization - 3.5 - Ensure the SQL Server’s MSSQL Service Account is Not an Administrator. + 3.5 - Ensure the SQL Server’s MSSQL Service Account is Not an Administrator The service account and/or service SID used by the MSSQLSERVER service for a default instance or MSSQL$ service for a named instance should not be a member of the Windows Administrator group either directly or indirectly (via a group). This also means that the account known as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the MSSQL service as this account has higher privileges than the SQL Server service requires. @@ -1381,7 +1343,7 @@ function Test-SQLServerServiceAccountIsNotAnAdministrator { } catch [System.Mangement.Automation.MethodInvocationException] { $obj | Add-Member NoteProperty Status("MachineName not found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") return Write-Output $obj } } @@ -1411,11 +1373,11 @@ function Test-SQLServerServiceAccountIsNotAnAdministrator { } if ($null -eq $sqlAdmins) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Following service accounts are administrator: " + $sqlAdmins) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } Write-Output $obj } @@ -1423,11 +1385,11 @@ function Test-SQLServerServiceAccountIsNotAnAdministrator { function Test-SQLAgentServiceAccountIsNotAnAdministrator { <# .Synopsis - Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator. + Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator .DESCRIPTION CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization - 3.6 - Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator. + 3.6 - Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator The service account and/or service SID used by the SQLSERVERAGENT service for a default instance or SQLAGENT$ service for a named instance should not be a member of the Windows Administrator group either directly or indirectly (via a group). This also means that the account known as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the SQLAGENT service as this account has higher privileges than the SQL Server service requires. @@ -1461,7 +1423,7 @@ function Test-SQLAgentServiceAccountIsNotAnAdministrator { } catch [System.Mangement.Automation.MethodInvocationException] { $obj | Add-Member NoteProperty Status("MachineName not found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") return Write-Output $obj } } @@ -1491,11 +1453,11 @@ function Test-SQLAgentServiceAccountIsNotAnAdministrator { } if ($null -eq $sqlAdmins) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Following service accounts are administrator: " + $sqlAdmins) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } Write-Output $obj } @@ -1541,7 +1503,7 @@ function Test-SQLFullTextServiceAccountIsNotAnAdministrator { } catch [System.Mangement.Automation.MethodInvocationException] { $obj | Add-Member NoteProperty Status("MachineName not found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") return Write-Output $obj } } @@ -1571,11 +1533,11 @@ function Test-SQLFullTextServiceAccountIsNotAnAdministrator { } if ($null -eq $sqlAdmins) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Following service accounts are administrator: " + $sqlAdmins) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } Write-Output $obj } @@ -1633,16 +1595,16 @@ function Test-SQLPermissionsForRolePublic { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found Permission:" + $sqlResult.permission_name) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1692,16 +1654,16 @@ function Test-SQLWindowsBuiltinNoSqlLogin { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found Account(s):" + $sqlResult.name) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1752,16 +1714,16 @@ function Test-SQLWindowsLocalGroupsNoSqlLogin { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found Group(s):" + $sqlResult.LocalGroupName) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1814,16 +1776,16 @@ function Test-SQLPublicRoleMsdbDatabase { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found:" + $sqlResult.proxyname) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -1889,17 +1851,17 @@ function Test-SQLMustChangeOptionIsOn { } if ($mustChangeLogins.Count -gt 0) { $obj | Add-Member NoteProperty Status("Following Logins Must Change their password: " + $mustChangeLogins.name) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } else { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -1957,16 +1919,16 @@ function Test-SQLCheckExpirationOptionOn { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found missmatching account(s): " + $s.name) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -2012,16 +1974,16 @@ function Test-SQLCheckPolicyOptionOn { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Found missmatching account(s):" + $sqlResult.name) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -2078,16 +2040,16 @@ function Test-SQLMaximumNumberOfErrorLogFiles { if ($numberOfLogFiles -ge 12) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Maximum number of error log files is set to $numberOfLogFiles") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -2132,16 +2094,16 @@ function Test-SQLDefaultTraceEnabled { if (($sqlResult.value_configured -eq 1) -and ($sqlResult.value_in_use -eq 1)) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Maximum number of error log files too high") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -2186,16 +2148,16 @@ function Test-SQLLoginAuditingIsSetToFailedLogins { if ($sqlResult.config_value -eq "failure") { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("config_value is set to: " + $sqlResult.config_value) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -2248,72 +2210,55 @@ function Test-SQLLoginAuditingIsSetToFailedAndSuccessfulLogins { try { if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { - $sqlResults = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop } else { - $sqlResults = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop } - $auditChangeGroup = "FALSE" - $failedLoginGroup = "FALSE" - $successfulLoginGroup = "FALSE" - + $auditSpecifications = @() foreach ($sqlResult in $sqlResults) { switch ($sqlResult.audit_action_name) { "AUDIT_CHANGE_GROUP" { - if(($sqlResult | Select-Object -ExpandProperty "Audit Enabled") -eq "Y" -and - ($sqlResult | Select-Object -ExpandProperty "Audit Specification Enabled") -eq "Y" -and - ($sqlResult.audited_result -eq "SUCCESS AND FAILURE")) { - $auditChangeGroup = "TRUE" - } + $auditSpecifications += ($sqlResult) } "FAILED_LOGIN_GROUP" { - if(($sqlResult | Select-Object -ExpandProperty "Audit Enabled") -eq "Y" -and - ($sqlResult | Select-Object -ExpandProperty "Audit Specification Enabled") -eq "Y" -and - ($sqlResult.audited_result -eq "SUCCESS AND FAILURE")) { - $failedLoginGroup = "TRUE" - } + $auditSpecifications += ($sqlResult) } "SUCCESSFUL_LOGIN_GROUP" { - if(($sqlResult | Select-Object -ExpandProperty "Audit Enabled") -eq "Y" -and - ($sqlResult | Select-Object -ExpandProperty "Audit Specification Enabled") -eq "Y" -and - ($sqlResult.audited_result -eq "SUCCESS AND FAILURE")) { - $successfulLoginGroup = "TRUE" - } + $auditSpecifications += ($sqlResult) } Default {} } } + $foundSpecifications = @() + foreach ($auditSpecification in $auditSpecifications) { + if ((($auditspecification | Select-Object -ExpandProperty "Audit Enabled") -ne "Y") -or ` + (($auditspecification | Select-Object -ExpandProperty "Audit Specification Enabled") -ne "Y") -or ` + ($auditspecification.audited_result -ne "SUCCESS AND FAILURE")) { + $foundSPecifications += $auditSpecification.audit_action_name + } + } if ($null -eq $sqlResults) { $obj | Add-Member NoteProperty Status("TrackLogins file not found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } else { - if (($auditChangeGroup -eq "TRUE") -and ($failedLoginGroup -eq "TRUE") -and ($successfulLoginGroup -eq "TRUE")) { + if ($foundSpecifications.count -eq 0) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { - $specifications = @() - if ($auditChangeGroup -eq "FALSE") { - $specifications += "AUDIT_CHANGE_GROUP" - } - if ($failedLoginGroup -eq "FALSE") { - $specifications += "FAILED_LOGIN_GROUP" - } - if ($SuccessfulLoginGroup -eq "FALSE") { - $specifications += "SUCCESSFUL_LOGIN_GROUP" - } - [string]$status = $null - $status = $specifications -join ", " - $obj | Add-Member NoteProperty Status("Following specifications are not audited: $status") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + [string]$s = $null + $s = $foundSpecifications -join ", " + $obj | Add-Member NoteProperty Status("Found following specifications: $s") + $obj | Add-Member NoteProperty Audit("False") } } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -2371,16 +2316,16 @@ function Test-CLRAssemblyPermissionSet { } if ($unSafeAssemblies.Count -gt 0 ) { $obj | Add-Member NoteProperty Status("Found unsafe assmblies: " + $unSafeAssemblies) - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } else { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj @@ -2428,7 +2373,7 @@ function Test-SQLSymmetricKeyEncryptionAlgorithm { $obj | Add-Member NoteProperty ID("7.1") $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases") $obj | Add-Member NoteProperty Status("No databases found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") return $obj } $index = 1 @@ -2458,16 +2403,16 @@ function Test-SQLSymmetricKeyEncryptionAlgorithm { if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Got $sqlResult") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } @@ -2481,7 +2426,7 @@ function Test-SQLSymmetricKeyEncryptionAlgorithm { $obj | Add-Member NoteProperty ID("7.1") $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases") $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") Write-Output $obj } } @@ -2522,7 +2467,7 @@ function Test-SQLAsymmetricKeySize { $obj | Add-Member NoteProperty ID("7.2") $obj | Add-Member NoteProperty Task("Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases") $obj | Add-Member NoteProperty Status("No databases found") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") return $obj } @@ -2550,16 +2495,16 @@ function Test-SQLAsymmetricKeySize { } if ( $null -eq $sqlResult ) { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("Got $sqlResult") - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") } } catch [System.Data.SqlClient.SqlException] { $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } @@ -2574,7 +2519,7 @@ function Test-SQLAsymmetricKeySize { $obj | Add-Member NoteProperty ID("7.2") $obj | Add-Member NoteProperty Task("Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases") $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") Write-Output $obj } } @@ -2608,15 +2553,15 @@ function Test-SQLServerBrowserService { if ($sqlBrowserService.Status -eq 'stopped') { if ($sqlBrowserService.StartType -eq 'Disabled') { $obj | Add-Member NoteProperty Status("All good") - $obj | Add-Member NoteProperty Audit([AuditStatus]::True) + $obj | Add-Member NoteProperty Audit("True") } else { $obj | Add-Member NoteProperty Status("StartType: Enabled") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } } else { - $obj | Add-Member NoteProperty Audit([AuditStatus]::False) + $obj | Add-Member NoteProperty Audit("False") if ($sqlBrowserService.StartType -eq 'Disabled') { $obj | Add-Member NoteProperty Status("SQL Server Browser is running") } @@ -2627,7 +2572,7 @@ function Test-SQLServerBrowserService { } catch [Microsoft.PowerShell.Commands.ServiceCommandException] { $obj | Add-Member NoteProperty Status("Connot find any service with service name 'sqlbrowser'") - $obj | Add-Member NoteProperty Audit([AuditStatus]::Warning) + $obj | Add-Member NoteProperty Audit("Warning") } Write-Output $obj } @@ -2641,12 +2586,12 @@ function Convert-ToAuditInfo { ) process { - Write-Output (New-Object -TypeName AuditInfo -Property @{ - Id = $auditObject.ID - Task = $auditObject.Task - Message = $auditObject.Status - Audit = $auditObject.Audit - }) + Write-Output @{ + Id = $auditObject.ID + Task = $auditObject.Task + Message = $auditObject.Status + Status = $auditObject.Audit + } } } #endregion @@ -2664,6 +2609,7 @@ function Get-SQL2016AuditInfos { switch ($PsCmdlet.ParameterSetName) { "ByInstance" { $sqlInstances = $sqlInstance + break } "Default" { $smo = 'Microsoft.SqlServer.Management.Smo.' @@ -2742,111 +2688,67 @@ function Get-SQL2016AuditInfos { return $InstanceAudits } - -function Get-SQL2016Report { - <# - .Synopsis - Generates an audit report in an html file. - .Description - The `Get-SQL2016Report` cmdlet collects by default data from the current machine to generate an audit report. - .Parameter Path - Specifies the relative path to the file in which the report will be stored. - .Parameter SqlInstance - Specifies the name of an instance of SQL Server, as a string, that becomes the target of the operation. - .Parameter MachineName - Specifies the machine from which data will be collected - .Example - C:\PS> Get-SQL2016Report -Path "MyReport.html" -SqlInstance "MySQLServer" - #> - - [CmdletBinding(DefaultParameterSetName = "Default")] - Param( - [Parameter(Mandatory = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] - [string] $SqlInstance, - - [string] $MachineName = $env:COMPUTERNAME, - - [Parameter(Mandatory = $true, ParameterSetName = "ByAuditInfo")] - [Hashtable[]] $InstanceAudits, - - [switch] $DarkMode - ) - - switch ($PsCmdlet.ParameterSetName) { - "ByInstance" { - $InstanceAudits = (Get-SQL2016AuditInfos -SqlInstance $sqlInstance -MachineName $machineName) - } - "ByAuditInfo" { - - } - "Default" { - $InstanceAudits = (Get-SQL2016AuditInfos) - } +switch ($PsCmdlet.ParameterSetName) { + "ByInstance" { + $InstanceAudits = (Get-SQL2016AuditInfos -SqlInstance $sqlInstance -MachineName $machineName) + break } - - [hashtable[]]$reportSections = @() - - foreach ($InstanceAudit in $InstanceAudits) { - - [hashtable[]]$subSections = @() - - $subSections += @{ - Title = "2 Surface Area Reduction" - Description = "SQL Server offers various configuration options, some of them can be controlled by the sp_configure stored procedure. This section contains the listing of the corresponding recommendations." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "2.*"} - } - - $subSections += @{ - Title = "3 Authentication and Authorization" - Description = "This section contains recommendations related to SQL Server's authentication and authorization mechanisms." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "3.*"} - } - $subSections += @{ - Title = "4 Password Policies" - Description = "This section contains recommendations related to SQL Server's password policies." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "4.*"} - } - $subSections += @{ - Title = "5 Auditing and Logging" - Description = "This section contains recommendations related to SQL Server's audit and logging mechanisms." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "5.*"} - } - - $subSections += @{ - Title = "6 Application Development" - Description = "This section contains recommendations related to developing applications that interface with SQL Server." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "6.*"} - } - - $subSections += @{ - Title = "7 Encryption" - Description = "These recommendations pertain to encryption-related aspects of SQL Server." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "7.*"} - } - - $subSections += @{ - Title = "8 Appendix: Additional Considerations" - Description = "This appendix discusses possible configuration options for which no recommendation is being given." - AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "8.*"} - } - - $reportSections += @{ - Title = $InstanceAudit.InstanceName - Description = "This section contains the audits for the sqlInstance $($InstanceAudit.InstanceName)" - SubSections = $subSections - } + "ByAuditInfo" { + break } + "Default" { + $InstanceAudits = (Get-SQL2016AuditInfos) + } +} - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "SQL 2016 Benchmarks" ` - -ModuleName "SQL2016Audit" ` - -BasedOn "CIS Microsoft SQL Server 2016 Benchmark v1.0.0 - 08-11-2017" ` - -Sections $reportSections ` - -DarkMode:$DarkMode +[Report] @{ + Title = "SQL 2016 Benchmarks" + ModuleName = "ATAPAuditor" + BasedOn = "CIS Microsoft SQL Server 2016 Benchmark, Version: 1.0.0, Date: 2017-11-08" + Sections = @( + foreach ($InstanceAudit in $InstanceAudits) { + [ReportSection] @{ + Title = $InstanceAudit.InstanceName + Description = "This section contains the audits for the sqlInstance $($InstanceAudit.InstanceName)" + SubSections = @( + [ReportSection] @{ + Title = "2 Surface Area Reduction" + Description = "SQL Server offers various configuration options, some of them can be controlled by the sp_configure stored procedure. This section contains the listing of the corresponding recommendations." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "2.*"} + } + [ReportSection] @{ + Title = "3 Authentication and Authorization" + Description = "This section contains recommendations related to SQL Server's authentication and authorization mechanisms." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "3.*"} + } + [ReportSection] @{ + Title = "4 Password Policies" + Description = "This section contains recommendations related to SQL Server's password policies." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "4.*"} + } + [ReportSection] @{ + Title = "5 Auditing and Logging" + Description = "This section contains recommendations related to SQL Server's audit and logging mechanisms." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "5.*"} + } + [ReportSection] @{ + Title = "6 Application Development" + Description = "This section contains recommendations related to developing applications that interface with SQL Server." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "6.*"} + } + [ReportSection] @{ + Title = "7 Encryption" + Description = "These recommendations pertain to encryption-related aspects of SQL Server." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "7.*"} + } + [ReportSection] @{ + Title = "8 Appendix: Additional Considerations" + Description = "This appendix discusses possible configuration options for which no recommendation is being given." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "8.*"} + } + ) + } + } + ) } -#endregion \ No newline at end of file +#endregion diff --git a/ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 b/ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 new file mode 100644 index 00000000..f30a387e --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 @@ -0,0 +1,30 @@ +[Report] @{ + Title = "Windows 10 GDPR Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + 'Bundesamt für Sicherheit in der Informationstechnik (BSI), Version: V1.1, Date: 2019-07-31' + 'GDPR settings by Microsoft, Version: 16082019, Date: 2019-08-16' + ) + Sections = @( + [ReportSection] @{ + Title = "BSI Recommendations" + Description = "This section contains the Telemetry-Recommendations of the Federal Office for Information Security (BSI)" + SubSections = @( + [ReportSection] @{ + Title = "Telemetry" + AuditInfos = Test-AuditGroup "Microsoft Windows 10 GDPR-BSI-V1.1#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "Data Protection Microsoft" + Description = "This section contains all benchmarks given by Microsoft to be GDPR compliant" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings" + AuditInfos = Test-AuditGroup "Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows 10.ps1 b/ATAPAuditor/Reports/Microsoft Windows 10.ps1 new file mode 100644 index 00000000..29768448 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 10.ps1 @@ -0,0 +1,66 @@ +[Report] @{ + Title = "Windows 10 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark, Version: 1.8.1, Date: 2020-01-28" + "Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25" + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Benchmarks' + Description = 'This section contains the CIS Benchmark results.' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-1.8.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-1.8.1#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-1.8.1#AccountPolicies" + } + # [ReportSection] @{ + # Title = 'Windows Firewall with Advanced Security' + # AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-1.8.1#FirewallProfileSettings" + # } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-1.8.1#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains the DISA STIG results." + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R16#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R16#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R16#AccountPolicies" + } + [ReportSection] @{ + Title = "Windows Features" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R16#WindowsOptionalFeatures" + } + [ReportSection] @{ + Title = "File System Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R16#FileSystemPermissions" + } + [ReportSection] @{ + Title = "Registry Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R16#RegistryPermissions" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 new file mode 100644 index 00000000..df139375 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 @@ -0,0 +1,71 @@ + +[Report] @{ + Title = "Windows Server 2016 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "Windows Server 2016 Security Technical Implementation Guide, Version: V1R6, Date: 2018-10-26" + "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark, Version: 1.1.0, Date: 2018-10-15" + ) + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all recommendations from the Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R6#RegistrySettings" + }, + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R6#UserRights" + }, + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R6#AccountPolicies" + }, + [ReportSection] @{ + Title = "Windows Features" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R6#WindowsFeatures" + }, + [ReportSection] @{ + Title = "File System Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R6#FileSystemPermissions" + }, + [ReportSection] @{ + Title = "Registry Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R6#RegistryPermissions" + }#, + # [ReportSection] @{ + # Title = "Other" + # AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-#Other" + # } + ) + } + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet." + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-1.1.0#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-1.1.0#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-1.1.0#AccountPolicies" + } + # [ReportSection] @{ + # Title = "Windows Firewall with Advanced Security" + # AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-1.1.0#FirewallProfileSettings" + # } + [ReportSection] @{ + Title = " Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-1.1.0#AuditPolicies" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 new file mode 100644 index 00000000..5bb52352 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 @@ -0,0 +1,67 @@ + +[Report] @{ + Title = "Windows Server 2019 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "Windows Server 2019 Security Technical Implementation Guide, Version: V1R2, Date: 2020-01-24" + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.1.0, Date: 2020-01-10" + ) + Sections = @( + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all recommendations from DISA" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R2#RegistrySettings" + }, + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R2#UserRights" + }, + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R2#AccountPolicies" + }, + [ReportSection] @{ + Title = "Windows Features" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R2#WindowsFeatures" + }, + [ReportSection] @{ + Title = "File System Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R2#FileSystemPermissions" + }, + [ReportSection] @{ + Title = "Registry Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R2#RegistryPermissions" + } + ) + } + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all benchmarks from CIS" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-1.1.0#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-1.1.0#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-1.1.0#AccountPolicies" + } + # [ReportSection] @{ + # Title = "Windows Firewall with Advanced Security" + # AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-1.1.0#FirewallProfileSettings" + # } + [ReportSection] @{ + Title = " Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-1.1.0#AuditPolicies" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Mozilla Firefox.ps1 b/ATAPAuditor/Reports/Mozilla Firefox.ps1 new file mode 100644 index 00000000..83d03456 --- /dev/null +++ b/ATAPAuditor/Reports/Mozilla Firefox.ps1 @@ -0,0 +1,863 @@ +<# +BSD 3-Clause License + +Copyright (c) 2019, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +#> + +#region Import tests configuration settings +$CisBenchmarks = @{ + FirefoxLockPrefSettings = @( + @{ + Id = "2.1" + Task = "Enable Automatic Updates" + LockPrefs = @( + @{ Name = "app.update.auto"; Value = $true } + @{ Name = "app.update.enabled"; Value = $true } + @{ Name = "app.update.staging.enabled"; Value = $true } + ) + } + @{ + Id = "2.2" + Task = "Enable Auto-Notification of Outdated Plugins" + LockPrefs = @( + @{ Name = "plugins.update.notifyUser"; Value = $true } + ) + } + @{ + Id = "2.3" + Task = "Enable Information Bar for Outdated Plugins" + LockPrefs = @( + @{ Name = "plugins.hide_infobar_for_outdated_plugin"; Value = $false } + ) + } + @{ + Id = "2.4" + Task = "Set Update Interval Time Checks" + LockPrefs = @( + @{ Name = "app.update.interval"; Value = 43200 } + ) + } + @{ + Id = "2.5" + Task = "Set Update Wait Time Prompt" + LockPrefs = @( + @{ Name = "app.update.promptWaitTime"; Value = 172800 } + ) + } + @{ + Id = "2.6" + Task = "Ensure Update-related UI Components are Displayed" + LockPrefs = @( + @{ Name = "app.update.silent"; Value = $false } + ) + } + @{ + Id = "2.7" + Task = "Set Search Provider Update Behavior" + LockPrefs = @( + @{ Name = "app.update.auto"; Value = $true } + @{ Name = "app.update.enabled"; Value = $true } + ) + } + # @{ + # Id = "3.1" + # Task = "Validate Proxy Settings" + # } + @{ + Id = "3.2" + Task = "Do Not Send Cross SSLTLS Referrer Header" + LockPrefs = @( + @{ Name = "network.http.sendSecureXSiteReferrer"; Value = $false } + ) + } + @{ + Id = "3.3" + Task = "Disable NTLM v1" + LockPrefs = @( + @{ Name = "network.auth.force-generic-ntlm-v1"; Value = $false } + ) + } + @{ + Id = "3.4" + Task = "Enable Warning For Phishy URLs" + LockPrefs = @( + @{ Name = "network.http.phishy-userpass-length"; Value = 1 } + ) + } + @{ + Id = "3.5" + Task = "Enable IDN Show Punycode" + LockPrefs = @( + @{ Name = "network.IDN_show_punycode"; Value = $true } + ) + } + @{ + Id = "3.6" + Task = "Set File URI Origin Policy" + LockPrefs = @( + @{ Name = "security.fileuri.strict_origin_policy"; Value = $true } + ) + } + @{ + Id = "3.7" + Task = "Disable Cloud Sync" + LockPrefs = @( + @{ Name = "services.sync.enabled"; Value = $false } + ) + } + @{ + Id = "3.8" + Task = "Disable WebRTC" + LockPrefs = @( + @{ Name = "media.peerconnection.enabled"; Value = $false } + @{ Name = "media.peerconnection.use_document_iceservers"; Value = $false } + ) + } + @{ + Id = "4.1" + Task = "Set SSL Override Behavior" + LockPrefs = @( + @{ Name = "browser.ssl_override_behavior"; Value = 0 } + ) + } + @{ + Id = "4.2" + Task = "Set Security TLS Version Maximum" + LockPrefs = @( + @{ Name = "security.tls.version.max"; Value = 3 } + ) + } + @{ + Id = "4.3" + Task = "Set Security TLS Version Minimum " + LockPrefs = @( + @{ Name = "security.tls.version.min"; Value = 1 } + ) + } + @{ + Id = "4.4" + Task = "Set OCSP Use Policy" + LockPrefs = @( + @{ Name = "security.OCSP.enabled"; Value = 1 } + ) + } + @{ + Id = "4.5" + Task = "Block Mixed Active Content" + LockPrefs = @( + @{ Name = "security.mixed_content.block_active_content"; Value = $true } + ) + } + @{ + Id = "4.6" + Task = "Set OCSP Response Policy" + LockPrefs = @( + @{ Name = "security.OCSP.require"; Value = $true } + ) + } + @{ + Id = "5.1" + Task = "Disallow JavaScripts Ability to Change the Status Bar Text" + LockPrefs = @( + @{ Name = "dom.disable_window_status_change"; Value = $true } + ) + } + @{ + Id = "5.2" + Task = "Disable Scripting of Plugins by JavaScript" + LockPrefs = @( + @{ Name = "security.xpconnect.plugin.unrestricted"; Value = $false } + ) + } + @{ + Id = "5.3" + Task = "Disallow JavaScripts Ability to Hide the Address Bar" + LockPrefs = @( + @{ Name = "dom.disable_window_open_feature.location"; Value = $true } + ) + } + @{ + Id = "5.4" + Task = "Disallow JavaScripts Ability to Hide the Status Bar" + LockPrefs = @( + @{ Name = "dom.disable_window_open_feature.status"; Value = $true } + ) + } + @{ + Id = "5.5" + Task = "Disable Closing of Windows via Scripts" + LockPrefs = @( + @{ Name = "dom.allow_scripts_to_close_windows"; Value = $false } + ) + } + @{ + Id = "5.6" + Task = "Block Pop-up Windows" + LockPrefs = @( + @{ Name = "privacy.popups.policy"; Value = 1 } + ) + } + @{ + Id = "5.7" + Task = "Disable Displaying JavaScript in History URLs" + LockPrefs = @( + @{ Name = "browser.urlbar.filter.javascript"; Value = $true } + ) + } + @{ + Id = "6.1" + Task = "Disallow Credential Storage" + LockPrefs = @( + @{ Name = "signon.rememberSignons"; Value = $false } + ) + } + @{ + Id = "6.2" + Task = "Do Not Accept Third Party Cookies" + LockPrefs = @( + @{ Name = "network.cookie.cookieBehavior"; Value = 1 } + ) + } + @{ + Id = "6.3" + Task = "Tracking Protection" + LockPrefs = @( + @{ Name = "privacy.donottrackheader.enabled"; Value = $true } + @{ Name = "privacy.donottrackheader.value"; Value = 1 } + @{ Name = "privacy.trackingprotection.enabled"; Value = $true } + @{ Name = "privacy.trackingprotection.pbmode"; Value = $true } + ) + } + @{ + Id = "6.4" + Task = "Set Delay for Enabling Security Sensitive Dialog Boxes" + LockPrefs = @( + @{ Name = "security.dialog_enable_delay"; Value = 2000 } + ) + } + @{ + Id = "6.5" + Task = "Disable Geolocation Serivces" + LockPrefs = @( + @{ Name = "geo.enabled"; Value = $false } + ) + } + @{ + Id = "7.1" + Task = "Secure Application Plug-ins" + LockPrefs = @( + @{ Name = "browser.helperApps.alwaysAsk.force"; Value = $true } + ) + } + @{ + Id = "7.2" + Task = "Disabling Auto-Install of Add-ons" + LockPrefs = @( + @{ Name = "xpinstall.whitelist.required"; Value = $true } + ) + } + @{ + Id = "7.3" + Task = "Enable Extension Block List" + LockPrefs = @( + @{ Name = "extensions.blocklist.enabled"; Value = $true } + ) + } + @{ + Id = "7.4" + Task = "Set Extension Block List Interval" + LockPrefs = @( + @{ Name = "extensions.blocklist.interval"; Value = 86400 } + ) + } + @{ + Id = "7.5" + Task = "Enable Warning for External Protocol Handler" + LockPrefs = @( + @{ Name = "network.protocol-handler.warn-external-default"; Value = $true } + ) + } + @{ + Id = "7.6" + Task = "Disable Popups Initiated by Plugins" + LockPrefs = @( + @{ Name = "privacy.popups.disable_from_plugins"; Value = 2 } + ) + } + @{ + Id = "7.7" + Task = "Enable Extension Auto Update" + LockPrefs = @( + @{ Name = "extensions.update.autoUpdateDefault"; Value = $true } + ) + } + @{ + Id = "7.8" + Task = "Enable Extension Update" + LockPrefs = @( + @{ Name = "extensions.update.enabled"; Value = $true } + ) + } + @{ + Id = "7.9" + Task = "Set Extension Update Interval Time Checks" + LockPrefs = @( + @{ Name = "extensions.update.interval"; Value = 86400 } + ) + } + @{ + Id = "8.1" + Task = "Enable Virus Scanning for Downloads" + LockPrefs = @( + @{ Name = "browser.download.manager.scanWhenDone"; Value = $true } + ) + } + @{ + Id = "8.2" + Task = "Disable JAR from Opening Unsafe File Types" + LockPrefs = @( + @{ Name = "network.jar.open-unsafe-types"; Value = $false } + ) + } + @{ + Id = "8.3" + Task = "Block Reported Web Forgeries" + LockPrefs = @( + @{ Name = "browser.safebrowsing.enabled"; Value = $true } + ) + } + @{ + Id = "8.4" + Task = "Block Reported Attack Sites" + LockPrefs = @( + @{ Name = "browser.safebrowsing.malware.enabled"; Value = $true } + ) + } + ) +} + +$DisaRequirements = @{ + # RegistrySettings = @( + # @{ + # Id = "DTBF003" + # Task = "Installed version of Firefox unsupported." + # Path = "HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion" + # Name = "firefox.exe" + # Value = 0 # is equal to or greater than 50.1.x (or ESR 45.7.x) + # } + # ) + FirefoxLockPrefSettings = @( + @{ + Id = "DTBF030" + Task = "Firewall traversal from remote host must be disabled." + LockPrefs = @( + @{ Name = "security.enable_tls"; Value = $true } + @{ Name = "security.tls.version.min"; Value = 2 } + @{ Name = "security.tls.version.max"; Value = 3 } + ) + } + @{ + Id = "DTBF050" + Task = "FireFox is configured to ask which certificate to present to a web site when a certificate is required." + LockPrefs = @( + @{ Name = "security.default_personal_cert"; Value = "Ask Every Time" } + ) + } + # @{ # Not set - in CIS Benchmarks + # Id = "DTBF080" + # Task = "Firefox application is set to auto-update." + # } + @{ + Id = "DTBF085" + Task = "Firefox automatically checks for updated version of installed Search plugins." + LockPrefs = @( + @{ Name = "browser.search.update"; Value = $false } + ) + } + @{ + Id = "DTBF090" + Task = "Firefox automatically updates installed add-ons and plugins." + LockPrefs = @( + @{ Name = "extensions.update.enabled"; Value = $false } + ) + } + @{ + Id = "DTBF105" + Task = "Network shell protocol is enabled in FireFox." + LockPrefs = @( + @{ Name = "network.protocol-handler.external.shell"; Value = $false } + ) + } + # @{ # no longer available + # Id = "DTBF110" + # Task = "Firefox is not configured to prompt a user before downloading and opening required file types." + # } + # @{ # no longer available + # Id = "DTBF130" + # Task = "Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page." + # } + @{ + Id = "DTBF140" + Task = "Firefox formfill assistance option is disabled." + LockPrefs = @( + @{ Name = "browser.formfill.enable"; Value = $false } + ) + } + @{ + Id = "DTBF150" + Task = "Firefox is configured to autofill passwords." + LockPrefs = @( + @{ Name = "signon.autofillForms"; Value = $false } + ) + } + # @{ # Not set - in CIS Benchmarks + # Id = "DTBF160" + # Task = "FireFox is configured to use a password store with or without a master password." + # } + # @{ # Not set - see CIS benchmark 5.4_L1_Disallow_JavaScripts_Ability_to_Hide_the_Status_Bar + # Id = "DTBF180" + # Task = "FireFox is not configured to block pop-up windows. + # } + @{ + Id = "DTBF181" + Task = "FireFox is configured to allow JavaScript to move or resize windows." + LockPrefs = @( + @{ Name = "dom.disable_window_move_resize"; Value = $true } + ) + } + @{ + Id = "DTBF183" + Task = " Firefox is configured to allow JavaScript to disable or replace context menus." + LockPrefs = @( + @{ Name = "dom.event.contextmenu.enabled"; Value = $false } + ) + } + # @{ # Not set - in CIS Benchmarks + # Id = "DTBF184" + # Task = "Firefox is configured to allow JavaScript to hide or change the status bar." + # } + # @{ # no longer available + # Id = "DTBF186" + # Task = "Extensions install must be disabled." + # } + @{ + Id = "DTBF190" + Task = "Background submission of information to Mozilla must be disabled." + LockPrefs = @( + @{ Name = "datareporting.policy.dataSubmissionEnabled"; Value = $false } + @{ Name = "datareporting.healthreport.service.enabled"; Value = $false } + @{ Name = "datareporting.healthreport.uploadEnabled"; Value = $false } + ) + } + ) +} + +#endregion + +#region helper classes +class LockPrefSetting { + [string] $Name + $Value +} +#endregion + +#region Helper functions +function Get-FirefoxInstallDirectory { + $firefoxPath = "HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\" + if (-not (Test-Path $firefoxPath)) { + $firefoxPath = "HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\" + } + $currentFirefox = Get-ChildItem -Path $firefoxPath | Select-Object -Last 1 + $installDir = $currentFirefox | Get-ChildItem | Where-Object PSChildName -EQ "Main" + return $installDir | Get-ItemProperty | Select-Object -ExpandProperty "Install Directory" +} + +function Get-FirefoxLocalSettingsFile { + return "{0}\defaults\pref\local-settings.js" -f (Get-FirefoxInstallDirectory) +} + +function Get-FirefoxMozillaCfgFileName { + $localSettingsFilePath = Get-FirefoxLocalSettingsFile + $content = if (Test-Path $localSettingsFilePath) { Get-Content $localSettingsFilePath } else { $null } + $filename = $content | ForEach-Object { + if ($_ -match "^pref\(`"general\.config\.filename`",\s?`"([\w\-. ]+\.cfg)`"\);") { + return $Matches[1] + } + return $null + } | Where-Object { $null -ne $_ } | Select-Object -Last 1 + + if ($null -eq $filename) { + return "mozilla.cfg" + } + + return $filename +} + +function Get-FirefoxMozillaCfgFile { + return "{0}\{1}" -f (Get-FirefoxInstallDirectory), (Get-FirefoxMozillaCfgFileName) +} + +function Get-FirefoxLockPrefs { + if (-not (Test-Path (Get-FirefoxMozillaCfgFile))) { + return $null + } + + $regex = "^lockPref\s*\(\s*`"([\w.-]+)`"\s*,\s*({0}|{1}|{2})\s*\);" -f @( + "(?true|false)" + "(?\d+)" + "`"(?(\\.|[^`"\\])*)`"" + ) + + $currentLockPrefs = Get-Content (Get-FirefoxMozillaCfgFile) | ForEach-Object { + if ($_ -match $regex) { + $value = $null + if ($Matches.Keys -contains "bool") { + $value = [bool]::Parse($Matches["bool"]) + } + elseif ($Matches.Keys -contains "number") { + $value = [int]::Parse($Matches["number"]) + } + elseif ($Matches.Keys -contains "string") { + $value = $Matches["string"] + } + + [LockPrefSetting]@{ Name = $Matches[1]; Value = $value } + } + } | Where-Object { $null -ne $_ } + + return $currentLockPrefs +} +#endregion + +#region Audit functions +function Get-RegistryAudit { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Id, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Task, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Path, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Name, + + [Parameter(ValueFromPipelineByPropertyName = $true)] + [AllowEmptyString()] + [object[]] $Value, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [ScriptBlock] $Predicate, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [String] $ExpectedValue, + + [Parameter(ValueFromPipelineByPropertyName = $true)] + [bool] $DoesNotExist = $false + ) + + process { + try { + $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` + | Select-Object -ExpandProperty $Name + + if (-not (& $Predicate $regValues)) { + $regValue = $regValues -join ", " + + return @{ + Id = $Id + Task = $Task + Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + if ($DoesNotExist) { + return @{ + Id = $Id + Task = $Task + Message = "Compliant. Registry value not set." + Status = "True" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if ($DoesNotExist) { + return @{ + Id = $Id + Task = $Task + Message = "Compliant. Registry value not set." + Status = "True" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant" + Status = "True" + } + } +} + +function Get-FirefoxLocalSettingsFileAudit { + $Id = "1.1" + $Task = "Create local-settings.js file" + + if (-not (Test-Path (Get-FirefoxLocalSettingsFile))){ + return @{ + Id = $Id + Task = $Task + Message = "local-settings.js file does not exist." + Status = "False" + } + } + + $generalConfigFilename = Get-Content (Get-FirefoxLocalSettingsFile) | Where-Object { + $_ -match "^pref\s*\(\s*`"general\.config\.filename`"\s*,\s*`"([\w\-. ]+\.cfg)`"\s*\);" + } + + if ($generalConfigFilename.Count -eq 0) { + return @{ + Id = $Id + Task = $Task + Message = "File does not set 'general.config.filename'" + Status = "False" + } + } + + $generalConfigObscure = Get-Content (Get-FirefoxLocalSettingsFile) | Where-Object { + $_ -match "^pref\s*\(\s*`"general\.config\.obscure_value`"\s*,\s*0\s*\);" + } + + if ($generalConfigObscure.Count -eq 0) { + return @{ + Id = $Id + Task = $Task + Message = "File does not set 'general.config.obscure' = 0" + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant" + Status = "True" + } +} + +function Get-FirefoxMozillaCfgFileAudit { + $name = Get-FirefoxMozillaCfgFileName + + $Id = "1.3" + $Task = "Create $name file" + + if (-not (Test-Path (Get-FirefoxMozillaCfgFile))){ + return @{ + Id = $Id + Task = $Task + Message = "$name file does not exist." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant" + Status = "True" + } +} + +function Get-FileAudit { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Id, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Task, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Path, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [scriptblock] $Predicate + ) + + process { + if (-not (Test-Path $Path)) { + return @{ + Id = $Id + Task = $Task + Message = "File does not exist." + Status = "False" + } + } + + if (-not (&$Predicate (Get-Content $Path))) { + return @{ + Id = $Id + Task = $Task + Message = "File does not match predicate." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant." + Status = "True" + } + } +} + +function Get-LockPrefSettingAudit { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Id, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Task, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [array] $LockPrefs, + + [LockPrefSetting[]] $CurrentLockPrefs = (Get-FirefoxLockPrefs) + ) + + process { + if ($null -eq $CurrentLockPrefs) { + return @{ + Id = $Id + Task = $Task + Message = "general config does not exist." + Status = "None" + } + } + + $missingLockPrefs = $LockPrefs | Where-Object { + $LockPref = $_ + # LockPref not in currentLockPrefs + ($currentLockPrefs | Where-Object { + ($_.Name -eq $LockPref.Name) -and ($_.Value -is $LockPref.Value.GetType()) -and ($_.Value -eq $LockPref.Value) + }).Count -eq 0 + } + + if ($missingLockPrefs.Count -gt 0) { + $msg = ($missingLockPrefs | ForEach-Object { "lockPref(`"{0}`", {1})" -f $_.Name, $_.Value }) -join "; " + + return @{ + Id = $Id + Task = $Task + Message = "Missing lockprefs: $msg." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant." + Status = "True" + } + } +} +#endregion + +$currentLockPrefs = Get-FirefoxLockPrefs + +[Report] @{ + Title = 'Mozilla Firefox Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + 'CIS Mozilla Firefox 38 ESR Benchmark, Version: 1.0.0, Date: 2015-12-31' + 'DISA Mozilla FireFox Security Technical Implementation Guide, Version: V4R24, Date: 2019-01-25' + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Benchmarks' + Description = 'This section contains all CIS benchmarks' + Subsections = @( + [ReportSection] @{ + Title = "Configure Locked Preferences" + AuditInfos = @( + Get-FirefoxLocalSettingsFileAudit + # missing 1.2 + Get-FirefoxMozillaCfgFileAudit + # missing 1.4 + # missing 1.5 + ) + } + [ReportSection] @{ + Title = "Preference Settings" + AuditInfos = foreach ($setting in $CisBenchmarks.FirefoxLockPrefSettings) { + $obj = New-Object -TypeName psobject -Property $setting + Write-Output ($obj | Get-LockPrefSettingAudit -CurrentLockPrefs $currentLockPrefs) + } + } + ) + } + [ReportSection] @{ + Title = 'DISA Recommendations' + Description = 'This section contains all DISA recommendations' + Subsections = @( + [ReportSection] @{ + Title = "Preference Settings" + AuditInfos = foreach ($setting in $DisaRequirements.FirefoxLockPrefSettings) { + $obj = New-Object -TypeName psobject -Property $setting + Write-Output ($obj | Get-LockPrefSettingAudit -CurrentLockPrefs $currentLockPrefs) + } + } + ) + } + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Resources/FirefoxPreferences.ps1 b/ATAPAuditor/Resources/FirefoxPreferences.ps1 new file mode 100644 index 00000000..6d792a13 --- /dev/null +++ b/ATAPAuditor/Resources/FirefoxPreferences.ps1 @@ -0,0 +1,60 @@ +# Calculate Firefox installation path +$firefoxRegKeyPath = 'HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\' +if (-not (Test-Path $firefoxRegKeyPath)) { + $firefoxRegKeyPath = 'HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\' +} +$currentFirefoxRegKey = Get-ChildItem -Path $firefoxRegKeyPath | Select-Object -Last 1 +$installDirRegKey = $currentFirefoxRegKey | Get-ChildItem | Where-Object PSChildName -EQ 'Main' +$InstallationPath = $installDirRegKey | Get-ItemProperty | Select-Object -ExpandProperty 'Install Directory' + +# Calculate Firefox local-settings path +$LocalSettingsPath = "$InstallationPath\defaults\pref\local-settings.js" + +# Calculate Firefox config path +$preferenceConfigFilename = 'mozilla.cfg' +if (Test-Path $LocalSettingsPath) { + foreach ($line in (Get-Content $LocalSettingsPath)) { + if ($_ -match "^pref\(`"general\.config\.filename`",\s?`"([\w\-. ]+\.cfg)`"\);") { + $preferenceConfigFilename = $Matches[1] + } + } +} +$PreferenceConfigPath = "$InstallationPath\$preferenceConfigFilename" + +# Gather lines into lockPref list +# if (-not (Test-Path $LocalSettingsPath) -or +# -not (Test-Path $PreferenceConfigPath)) { +# return $null +# } + +$boolRegex = '(?true|false)' +$numberRegex = '(?\d+)' +$stringRegex = '"(?(\\.|[^`"\\])*)"' +$lineRegex = "^lockPref\s*\(\s*`"([\w.-]+)`"\s*,\s*({0}|{1}|{2})\s*\);" -f $boolRegex, $numberRegex, $stringRegex + +$LockedPreferences = @() +if (Test-Path $PreferenceConfigPath) { + foreach ($line in (Get-Content $PreferenceConfigPath)) { + if ($line -match $lineRegex) { + $value = $null + if ($Matches.Keys -contains "bool") { + $value = [bool]::Parse($Matches["bool"]) + } + elseif ($Matches.Keys -contains "number") { + $value = [int]::Parse($Matches["number"]) + } + elseif ($Matches.Keys -contains "string") { + $value = $Matches["string"] + } + + $LockedPreferences += [FirefoxPreference]@{ Name = $Matches[1]; Value = $value } + } + } +} + +return [PSCustomObject] @{ + InstallationPath = $InstallationPath + LocalSettingsPath = $LocalSettingsPath + PreferenceConfigPath = $PreferenceConfigPath + LockedPreferences = $LockedPreferences +} diff --git a/ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 b/ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 new file mode 100644 index 00000000..ca6e87b1 --- /dev/null +++ b/ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 @@ -0,0 +1,41 @@ +using module .\..\Helpers\SecurityPolicy.psm1 + +# get a temporary file to save and process the secedit settings +$securityPolicyPath = Join-Path -Path $env:TEMP -ChildPath 'SecurityPolicy.inf' + +# export the secedit settings to this temporary file +Write-Verbose "[WindowsSecurityPolicy] Exporting local security policies from secedit into tempory file: $securityPolicyPath" +secedit.exe /export /cfg $securityPolicyPath | Out-Null + +$config = @{} +switch -regex -file $securityPolicyPath { + "^\[(.+)\]" { # Section + $section = $matches[1] + $config[$section] = @{} + } + "(.+?)\s*=(.*)" { # Key + $name = $matches[1] + $value = $matches[2] -replace "\*" + $config[$section][$name] = $value + } +} + +Write-Verbose "[WindowsSecurityPolicy] Converting identities in 'Privilege Rights' section" +$privilegeRights = @{} +foreach ($key in $config["Privilege Rights"].Keys) { + # Make all accounts SIDs + $accounts = $($config["Privilege Rights"][$key] -split ",").Trim() ` + | ConvertTo-NTAccountUser -Verbose:$VerbosePreference ` + | Where-Object { $null -ne $_ } + $privilegeRights[$key] = $accounts +} +$config["Privilege Rights"] = $privilegeRights + +# sanitize input +$systemAccess = @{} +foreach ($key in $config["System Access"].Keys) { + $systemAccess[$key] = $config["System Access"][$key].Trim() +} +$config["System Access"] = $systemAccess + +return $config \ No newline at end of file diff --git a/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 b/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 index 604914e6..813bb407 100644 --- a/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 +++ b/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 @@ -32,6 +32,13 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Import-Module "./ATAPHtmlReport" -Force +class MyAudit { + [string] $Id + [string] $Task + [string] $Status + [string] $Message +} + Describe "ATAPHtmlReport" { InModuleScope ATAPHtmlReport { $testPath = "$PSScriptRoot\testreport.html" @@ -44,46 +51,37 @@ Describe "ATAPHtmlReport" { # ComplianceStatus = $true } Get-ATAPHtmlReport @args -Sections @( - @{ + [PSCustomObject]@{ Title = "Section 1" AuditInfos = @( - (New-ATAPAuditInfo -Id "1.1" -Task "Ensure something" -Message "All Good" -Audit True) - (New-ATAPAuditInfo -Id "1.2" -Task "Ensure something" -Message "All Good" -Audit True) - (New-ATAPAuditInfo -Id "1.3" -Task "Ensure something" -Message "All Good" -Audit True) - (New-ATAPAuditInfo -Id "1.4" -Task "Ensure something" -Message "Not run" -Audit None) + [MyAudit]@{ Id = "1.1"; Task = "Ensure something"; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "1.2"; Task = "Ensure something"; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "1.3"; Task = "Ensure something"; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "1.4"; Task = "Ensure something"; Message = "Not run"; Status = 'None' } ) }, - @{ + [PSCustomObject]@{ Title = "Section 2" SubSections = @( - @{ + [PSCustomObject]@{ Title = " Section 2.1" AuditInfos = @( - (New-ATAPAuditInfo -Id "2.1.1" -Task "Ensure something else" -Message "All Good" -Audit Warning) - (New-ATAPAuditInfo -Id "2.1.2" -Task "Ensure something entirely different" -Message "All good" -Audit True) + [MyAudit]@{ Id = "2.1.1"; Task = "Ensure something else"; Message = "All Good"; Status = 'Warning' } + [MyAudit]@{ Id = "2.1.2"; Task = "Ensure something entirely different"; Message = "All good"; Status = 'True' } ) }, - @{ + [PSCustomObject]@{ Title = "Section 2.2" AuditInfos = @( - (New-ATAPAuditInfo -Id "2.2.1" -Task "Ensure something entirely different" -Message "Something went wrong" -Audit False) - (New-ATAPAuditInfo -Id "2.2.2" -Task "Text overflow can only happen on block or inline-block level elements, because the element needs to have a width in order to be overflow-ed. The overflow happens in the direction as determined by the direction property or related attributes." -Message "All Good" -Audit True) - (New-ATAPAuditInfo -Id "2.1.2" -Task "Ensure something entirely different" -Message "Not quite good" -Audit Warning) + [MyAudit]@{ Id = "2.2.1"; Task = "Ensure something entirely different"; Message = "Something went wrong"; Status = 'False' } + [MyAudit]@{ Id = "2.2.2"; Task = "Text overflow can only happen on block or inline-block level elements, because the element needs to have a width in order to be overflow-ed. The overflow happens in the direction as determined by the direction property or related attributes."; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "2.1.2"; Task = "Ensure something entirely different"; Message = "Not quite good"; Status = 'Warning' } ) } ) } ) - It "New-ATAPAuditInfo" { - $info = New-ATAPAuditInfo -Id "1" -Task "Hello" -Message "Ok" -Audit "True" - $members = $info | Get-Member - $specificMembers = $members | Where-Object { - $_.MemberType -eq "Property" -and $_.Name -in "Id", "Task", "Message", "Audit" - } - $specificMembers.Count | Should Be 4 - } - It "Get-ATAPHtmlReport" { Test-Path $testPath | Should Be $true } diff --git a/ATAPHtmlReport/ATAPHtmlReport.psd1 b/ATAPHtmlReport/ATAPHtmlReport.psd1 index 611d710a..34fe2fe9 100644 --- a/ATAPHtmlReport/ATAPHtmlReport.psd1 +++ b/ATAPHtmlReport/ATAPHtmlReport.psd1 @@ -36,7 +36,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. RootModule = 'ATAPHtmlReport.psm1' # Version number of this module. -ModuleVersion = '1.2' +ModuleVersion = '1.3' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/ATAPHtmlReport/ATAPHtmlReport.psm1 b/ATAPHtmlReport/ATAPHtmlReport.psm1 index 713f8b52..c010ce19 100644 --- a/ATAPHtmlReport/ATAPHtmlReport.psm1 +++ b/ATAPHtmlReport/ATAPHtmlReport.psm1 @@ -38,102 +38,104 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Last Change: 08/19/2018 #> -Import-LocalizedData -FileName Settings.ps1 -BindingVariable Settings +#using module .\..\Helpers\Report.psm1 +#using module .\..\Configs\BaseConfig.psm1 -enum AuditStatus { - True - False - Warning - None -} - -class AuditInfo { - [string] $Id - [string] $Task - [string] $Message - [AuditStatus] $Audit -} - -function New-ATAPAuditInfo { - [CmdletBinding( - SupportsShouldProcess = $true - )] - param ( - [Parameter(Mandatory = $true)] - [string] - $Id, +$ScriptRoot = Split-Path -Parent $PSCommandPath - [Parameter(Mandatory = $true)] - [string] - $Task, +$Settings = Import-PowerShellDataFile -Path "$ScriptRoot\Settings.psd1" +$ModuleVersion = (Import-PowerShellDataFile -Path "$ScriptRoot\ATAPHtmlReport.psd1").ModuleVersion - [Parameter(Mandatory = $true)] - [string] - $Message, +$StatusValues = 'True', 'False', 'Warning', 'None', 'Error' +$AuditProperties = @{ Name = 'Id' }, @{ Name = 'Task' }, @{ Name = 'Message' }, @{ Name = 'Status' } +function Join-ATAPReportStatus { + [CmdletBinding()] + [OutputType([string])] + param( [Parameter(Mandatory = $true)] - [ValidateSet( - "True", - "False", - "Warning", - "None" - )] - [string] - $Audit + [string[]] + $Statuses ) - if ($PSCmdlet.ShouldProcess("Creating AuditInfo object")) { - New-Object -TypeName AuditInfo -Property $PSBoundParameters + if ($Statuses -contains 'False') { + return 'False' + } + elseif ($Statuses -contains 'Error') { + return 'Warning' + } + elseif ($Statuses -contains 'Warning') { + return 'Warning' + } + elseif ($Statuses -contains 'True') { + return 'True' + } + else { + return 'None' } } -function Get-ATAPCombinedAuditStatus { +function htmlElement { param( - [Parameter(Mandatory = $true)] - [AuditStatus[]] $Audits + [Parameter(Mandatory = $true, Position = 0)] + [string] + $ElementName, + + [Parameter(Mandatory = $true, Position = 1)] + [hashtable] + $Attributes, + + [Parameter(Mandatory = $true, Position = 2)] + [scriptblock] + $Children ) - if ($Audits -contains [AuditStatus]::False) { - [AuditStatus]::False - } - elseif ($Audits -contains [AuditStatus]::Warning) { - [AuditStatus]::Warning - } - elseif ($Audits -contains [AuditStatus]::True) { - [AuditStatus]::True - } - else { - [AuditStatus]::None + $htmlAttributes = @() + foreach ($attribute in $Attributes.GetEnumerator()) { + $htmlAttributes += '{0}="{1}"' -f $attribute.Name, $attribute.Value } + + [string[]]$htmlChildren = & $Children + + return '<{0} {1}>{2}' -f $ElementName, ($htmlAttributes -join ' '), ($htmlChildren -join '') } -function Get-ATAPHtmlSectionStatus { +function Get-SectionStatus { param( - [Parameter(Mandatory = $true)] - [hashtable] $Section + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [Alias('AuditInfos')] + [array] + $ConfigAudits, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Subsections ) - $subSectionStatuses = @() - if ($Section.Keys -contains "AuditInfos") { - $subSectionStatuses += $Section.AuditInfos.Audit + $allStatuses = @() + if ($null -ne $ConfigAudits) { + $allStatuses += $ConfigAudits.Status } - if ($Section.Keys -contains "SubSections") { - $subSectionStatuses += $Section.SubSections | Foreach-Object { Get-ATAPHtmlSectionStatus -Section $_ } + if ($null -ne $Subsections) { + foreach ($subsection in $Subsections) { + $allStatuses += $subsection | Get-SectionStatus + } } - return Get-ATAPCombinedAuditStatus -Audits $subSectionStatuses + return Join-ATAPReportStatus $allStatuses } -function Convert-ATAPAuditStatusToHtmlClass { +function Get-HtmlClassFromStatus { param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [AuditStatus] $AuditStatus + [Parameter(Mandatory = $true)] + [string] + $Status ) process { - switch ($AuditStatus) { - "True" { "passed" } - "False" { "failed" } - "Warning" { "warning" } + switch ($Status) { + 'True' { 'passed' } + 'False' { 'failed' } + 'Warning' { 'warning' } Default { "" } } } @@ -145,96 +147,126 @@ function Convert-SectionTitleToHtmlId { [string] $Title ) - return ([char[]]$Title | ForEach-Object { - switch ($_) { - ' ' { "-" } - '-' { "--" } - Default {$_} - } - }) -join "" + $charMap = { + switch ($_) { + ' ' { "-" } + '-' { "--" } + Default {$_} + } + } + + return ([char[]]$Title | ForEach-Object $charMap) -join '' } -function Convert-ATAPAuditInfoToHtmlTableRow { +function Get-HtmlTableRow { param( - [Parameter(Mandatory = $true)] - [AuditInfo] $AuditInfo + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + $Audit ) process { - $tableData = foreach ($Property in [AuditInfo].GetProperties()) { - $value = $Property.GetValue($AuditInfo, $null) - - if ($Property.Name -eq "Audit") { - $auditClass = Convert-ATAPAuditStatusToHtmlClass -AuditStatus $value - $value = "$value" + # $properties = $Audit | Get-Member -MemberType Property + + htmlElement 'tr' @{} { + foreach ($property in $AuditProperties) { + $value = $Audit | Select-Object -ExpandProperty $property.Name + if ($Property.Name -eq 'Status') { + $class = Get-HtmlClassFromStatus $Audit.Status + $value = htmlElement 'span' @{ class = "auditstatus $class" } { $value } + } + htmlElement 'td' @{} { $value } } - - "$value" } - - return "$tableData" } } -function Get-ATAPHtmlSectionLink { +function Get-HtmlToc { param( - [Parameter(Mandatory = $true)] - [hashtable[]] $Sections, + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, - [string] $Prepend = "" - ) + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Subsections, - $html = "
    " - foreach ($Section in $Sections) { - $id = Convert-SectionTitleToHtmlId -Title ($Prepend + $Section.Title) + [string] + $Prefix = '' + ) - $html += "
  • " - $html += "$($Section.Title)" - if ($Section.Keys -contains "SubSections") { - $html += Get-ATAPHtmlSectionLink -Sections $Section.SubSections -Prepend ($Prepend + $Section.Title) + $id = Convert-SectionTitleToHtmlId -Title ($Prefix + $Title) + htmlElement 'li' @{} { + htmlElement 'a' @{ href = "#$id" } { $Title } + if ($null -ne $Subsections) { + htmlElement 'ul' @{} { + foreach ($subsection in $Subsections) { + $subsection | Get-HtmlToc -Prefix ($Prefix + $Title) + } + } } - $html += "
    • " } - $html += "
" - - return $html } -function Get-ATAPHtmlSection { +function Get-HtmlReportSection { param( - [Parameter(Mandatory = $true)] - [hashtable[]] $Sections, + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, - [string] $Prepend = "" - ) + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [string] + $Description, - $html = "" - foreach ($Section in $Sections) { - $id = Convert-SectionTitleToHtmlId -Title ($Prepend + $Section.Title) - $sectionStatus = Get-ATAPHtmlSectionStatus -Section $Section - $class = Convert-ATAPAuditStatusToHtmlClass -AuditStatus $sectionStatus + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [alias('AuditInfos')] + [array] + $ConfigAudits, - $html += "
" - $html += "

" - $html += "$($Section.Title)" - $html += "^" - $html += "

" + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [alias('Sections')] + [array] + $Subsections, - if ($Section.Keys -contains "Description") { - $html += "

$($Section.Description)

" - } - if ($Section.Keys -contains "AuditInfos") { - $tableHead = [AuditInfo].GetProperties().Name | ForEach-Object { "$_" } - $tableRows = $Section.AuditInfos | Foreach-Object { Convert-ATAPAuditInfoToHtmlTableRow -AuditInfo $_ } - $html += "$tableHead$tableRows
" - } - if ($Section.Keys -contains "SubSections") { - $html += Get-ATAPHtmlSection -Sections $Section.SubSections -Prepend ($Prepend + $Section.Title) + [Parameter(Mandatory = $false)] + [string] + $Prefix + ) + + process { + $id = Convert-SectionTitleToHtmlId -Title ($Prefix + $Title) + $sectionStatus = Get-SectionStatus -ConfigAudits $ConfigAudits -Subsections $Subsections + $class = Get-HtmlClassFromStatus $sectionStatus + + htmlElement 'section' @{} { + htmlElement 'h1' @{ id = $id } { + htmlElement 'span' @{ class = $class } { $Title } + htmlElement 'a' @{ href = '#'; class = 'totop'} { '^' } + } + + if ($null -ne $Description) { + htmlElement 'p' @{} { $Description } + } + if ($null -ne $ConfigAudits) { + htmlElement 'table' @{ class = 'audit-info' } { + htmlElement 'tbody' @{} { + htmlElement 'tr' @{} { + foreach ($columnName in $AuditProperties.Name) { + htmlElement 'th' @{} { $columnName } + } + } + foreach ($configAudit in $ConfigAudits) { + $configAudit | Get-HtmlTableRow + } + } + } + } + if ($null -ne $Subsections) { + foreach ($subsection in $Subsections) { + $subsection | Get-HtmlReportSection -Prefix ($Prefix + $Title) + } + } } - $html += "
" } - - return $html } function Get-ATAPHostInformation { @@ -252,15 +284,16 @@ function Get-ATAPHostInformation { function Get-CompletionStatus { param( - [AuditInfo[]] $AuditInfos + [string[]] + $Statuses ) - $totalCount = $AuditInfos.Count + $totalCount = $Statuses.Count $status = @{ TotalCount = $totalCount } - foreach ($value in [auditstatus].GetEnumValues()) { - $count = ($AuditInfos | Where-Object { $_.Audit -eq $value }).Count + foreach ($value in $StatusValues) { + $count = ($Statuses | Where-Object { $_ -eq $value }).Count $status[$value] = @{ Count = $count Percent = (100 * ($count / $totalCount)).ToString("0.00", [cultureinfo]::InvariantCulture) @@ -278,7 +311,7 @@ function Get-OverallComplianceCSS { ) $css = "" - $percent = $completionStatus[[AuditStatus]::True].Percent / 1 + $percent = $completionStatus['True'].Percent / 1 if ($percent -gt 50) { $degree = 180 + ((($percent-50)/1) * 3.6) @@ -296,23 +329,30 @@ function Get-OverallComplianceCSS { return $css } -function Select-AuditInfo { +function Select-ConfigAudit { param( - [hashtable[]] $Sections + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [Alias('AuditInfos')] + [array] + $ConfigAudits, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Subsections ) - [AuditInfo[]]$auditInfos = @() - - foreach ($Section in $Sections) { - if ($Section.Keys -contains "AuditInfos") { - $auditInfos += $Section.AuditInfos + process { + $results = @() + if ($null -ne $ConfigAudits) { + $results += $ConfigAudits } - if ($Section.Keys -contains "SubSections") { - $auditInfos += Select-AuditInfo -Sections $Section.SubSections + if ($null -ne $Subsections) { + foreach ($subsection in $Subsections) { + $results += $subsection | Select-ConfigAudit + } } + return $results } - - return $auditInfos } function Get-ATAPHtmlReport { @@ -329,115 +369,140 @@ function Get-ATAPHtmlReport { [CmdletBinding()] [OutputType([string])] - Param( + param( [Parameter(Mandatory = $true)] - [string] $Path, + [string] + $Path, - [Parameter(Mandatory = $true)] - [string] $Title, + [Parameter(Mandatory = $false)] + [hashtable] + $HostInformation = (Get-ATAPHostInformation), - [Parameter(Mandatory = $true)] - [string] $ModuleName, + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, - [Parameter(Mandatory = $true)] - [string[]] $BasedOn, + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $ModuleName, - [hashtable] $HostInformation = (Get-ATAPHostInformation), + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string[]] + $BasedOn, - [hashtable[]] $Sections, + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Sections, [switch] $DarkMode, [switch] $ComplianceStatus ) - $scriptRoot = Split-Path -Parent $PSCommandPath - - $cssDocument = if (-not $DarkMode) { - "/report.css" - } - else { - "/report.dark.css" - } - $cssPath = $scriptRoot | Join-path -ChildPath $cssDocument - $css = Get-Content $cssPath - - $completionStatus = Get-CompletionStatus -AuditInfos (Select-AuditInfo -Sections $Sections) + $allConfigResults = foreach ($section in $Sections) { $section | Select-ConfigAudit | Select-Object -ExpandProperty 'Status' } + $completionStatus = Get-CompletionStatus $allConfigResults # HTML markup - $head = "" - $head += "" - $head += "" - $head += "$Title [$(Get-Date)]" - $head += "" - - # HTML markup - # Header - $body = "
" - # $body += "`"FB-Pro" - $body += $Settings.LogoSvg - $body += "

$Title

" - $body += "

Generated by the $ModuleName Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

" - $body += "

Based on $($BasedOn -join ", ").

" - $body += "
" - # Main section - $body += "
" - $body += "
" - $body += "

This report was generated at $((Get-Date)) on $($HostInformation.Hostname).

" - # Host information - $body += "" - $body += "" - foreach ($Key in $HostInformation.Keys) { - $body += "" - $body += "" - $body += "" - } - $body += "" - $body += "
$Key$($HostInformation[$Key])
" - $body += "
" - if ($ComplianceStatus) { - $sliceColorClass = Convert-ATAPAuditStatusToHtmlClass 'True' - $body += '
' - $body += '

Compliance status

' - $body += '
' - $body += '
' -f $sliceColorClass - $body += '
' -f $sliceColorClass - $body += '
' - $body += '
' - $body += '
' - } - # Summary - $body += "

Summary

" - # $body += "

" - $body += "

A total of {0} tests have been run. {1} resulted in false. {2} resulted in warning.

" -f ` - $completionStatus.TotalCount, $completionStatus[[AuditStatus]::False].Count, $completionStatus[[AuditStatus]::Warning].Count - $body += "
" - foreach ($value in [auditstatus].GetEnumValues()) { - $htmlClass = Convert-ATAPAuditStatusToHtmlClass -AuditStatus $value - $percent = $completionStatus[$value].Percent - $body += "
" -f ` - $htmlClass, $percent, $value.ToString(), $completionStatus[$value].Count - } - $body += "
" - $body += "
    " - foreach ($value in [auditstatus].GetEnumValues()) { - $htmlClass = Convert-ATAPAuditStatusToHtmlClass -AuditStatus $value - $percent = $completionStatus[$value].Percent - $body += "
  1. {2} {3} test(s) ≙ {1}%
    2. " -f ` - $htmlClass, $percent, $value.ToString(), $completionStatus[$value].Count + $head = htmlElement 'head' @{} { + htmlElement 'meta' @{ charset = 'UTF-8'} { } + htmlElement 'meta' @{ name = 'viewport'; content = 'width=device-width, initial-scale=1.0' } { } + htmlElement 'meta' @{ 'http-equiv' = 'X-UA-Compatible'; content = 'ie=edge'} { } + htmlElement 'title' @{} { "$Title [$(Get-Date)]" } + htmlElement 'style' @{} { + $cssEnding = '' + if ($DarkMode) { $cssEnding = '.dark' } + $cssPath = $ScriptRoot | Join-path -ChildPath "/report$($cssEnding).css" + Get-Content $cssPath + Get-OverallComplianceCSS $completionStatus + } } - $body += "
" - # Section navigation - $body += "

Navigation

" - $body += "

Click the link(s) below for quick access to a report section.

" - $body += Get-ATAPHtmlSectionLink -Sections $Sections - # Sections - $body += Get-ATAPHtmlSection -Sections $Sections - $body += "
" - $html = "$head$body " + $body = htmlElement 'body' @{} { + # Header + htmlElement 'div' @{ class = 'header content'} { + $Settings.LogoSvg + htmlElement 'h1' @{} { $Title } + htmlElement 'p' @{} { + "Generated by the $ModuleName Module by FB Pro GmbH. Get it in the Audit Test Automation Package." + } + htmlElement 'p' @{} { "Based on $($BasedOn -join ", ")." } + } + # Main section + htmlElement 'div' @{ class = 'main content' } { + htmlElement 'div' @{ class = 'host-information' } { + htmlElement 'p' @{} { "This report was generated at $((Get-Date)) on $($HostInformation.Hostname) with ATAPHtmlReport version $ModuleVersion." } + # Host information + htmlElement 'table' @{} { + htmlElement 'tbody' @{} { + foreach ($hostDatum in $HostInformation.GetEnumerator()) { + htmlElement 'tr' @{} { + htmlElement 'th' @{ scope = 'row' } { $hostDatum.Name } + htmlElement 'td' @{} { $hostDatum.Value } + } + } + } + } + # Show compliance status + if ($ComplianceStatus) { + $sliceColorClass = Get-HtmlClassFromStatus 'True' + htmlElement 'div' @{ class = 'card'} { + htmlElement 'h2' @{} { 'Compliance status' } + htmlElement 'div' @{ class = 'donut-chart chart'} { + htmlElement 'div' @{ class = "slice one $sliceColorClass" } { } + htmlElement 'div' @{ class = "slice two $sliceColorClass" } { } + htmlElement 'div' @{ class = 'chart-center' } { htmlElement 'span' @{} { } } + } + } + } + # Summary + htmlElement 'h1' @{ style = 'clear:both; padding-top: 50px;' } { 'Summary' } + htmlElement 'p' @{} { + 'A total of {0} tests have been run. {1} resulted in false. {2} resulted in warning.' -f @( + $completionStatus.TotalCount + $completionStatus['False'].Count + $completionStatus['Warning'].Count + ) + } + # Status percentage gauge + htmlElement 'div' @{ class = 'gauge' } { + foreach ($value in $StatusValues) { + $count = $completionStatus[$value].Count + $htmlClass = Get-HtmlClassFromStatus $value + $percent = $completionStatus[$value].Percent + + htmlElement 'div' @{ + class = "gauge-meter $htmlClass" + style = "width: $($percent)%" + title = "$value $count test(s), $($percent)%" + } { } + } + } + htmlElement 'ol' @{ class = 'gauge-info' } { + foreach ($value in $StatusValues) { + $count = $completionStatus[$value].Count + $htmlClass = Get-HtmlClassFromStatus $value + $percent = $completionStatus[$value].Percent + + htmlElement 'li' @{ class = 'gauge-info-item' } { + htmlElement 'span' @{ class = "auditstatus $htmlClass" } { $value } + " $count test(s) ≙ $($percent)%" + } + } + + } + # Table of Contents + htmlElement 'h1' @{} { 'Table of Contents' } + htmlElement 'p' @{} { 'Click the link(s) below for quick access to a report section.' } + htmlElement 'ul' @{} { + foreach ($section in $Sections) { $section | Get-HtmlToc } + } + # Report Sections Sections + foreach ($section in $Sections) { $section | Get-HtmlReportSection } + } + } + } + $html = "$($head)$($body) " + New-Item $path -type File $html | Out-File $Path -Encoding utf8 } \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..8b050887 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,81 @@ +# Changelog + +## 4.0.0 Release Candidate 1 + +- New CIS section in **Google Chrome**. +- New CIS section in **Microsoft IE11**. +- The **Microsoft Windows Server 2019** report was added. +- New AuditGroup files that replace the dependency on the BenchmarkBucket. + +### Changed + +- CIS section in **Microsoft Windows 10** was updated to a new publisher version. +- CIS section in **Microsoft Windows Server 2016** was updated to a new publisher version. + +### Removed + +- ATAPAuditors have become deprecated. + +## 4.0.0 Alpha 6 + +### Added + +- The **Microsoft IE 11** report was added. +- The **Microsoft SQL Server 2016** report was added. + +### Changed + +- `Get-AuditReport` was renamed to `Get-ATAPReport`. +- Argument completion on `Get-ATAPReport` and `Save-ATAPHtmlReport` dynamically gets all report + names instead of hard coded values. + +## 4.0.0 Alpha 5 + +### Changed + +- Instead of storing auditing functionality (the *Test* methods of the overridden *Config* classes) + and the required information for an audit (the properties of the overridden *Config* classes) in a + single class (the overridden *Config* classes), these two parts have been separated. Audit + functionality is now stored in the *ATAPAuditor_\** files in the *Auditors* folder. Audit + information is now contained in the **BenchmarkBucket** module in a separate repository. +- Every *Test* method of the overriden *Config* classes have been converted to an *ATAPAuditor*. +- **SecureWorkstation**: Now refers to the other reports and includes its data as a subesction, + instead of duplication. +- The **FirefoxLockPrefSettings** resource is now known as **FirefoxPreferences**. + +### Removed + +- All benchmarks have been removed. The benchmark data has been outsourced to a separate module + **BenchmarkBucket**. +- **AccessControls** helper was moved inside of **ATAPAuditor_AccessControls**. +- **AuditProcessingFunctions** helper is not needed anymore. +- **Benchmarks** helper was moved to **BenchmarkBucket**. +- **DomainRole** helper was moved to **ATAPAuditor**. +- **MozillaFirefox** helper was moved to **BenchmarkBucket**. +- **Report** helper was moved to **ATAPAuditor**. +- **Value** helper was moved to **BenchmarkBucket**. +- **Value** helper is not needed anymore. + +### Fixed + +- **FirefoxPreferences** resource: Alway returns data. + +## 4.0.0 Alpha 4 + +### Changed + +- **Save-ATAPHtmlReport**: The default save folder was moved to the *ATAPReports* folder in the + default user *Documents* folder. This can be overriden by the user. The path in the user + environment variable *ATAPReportPath* will be used instead. +- **Save-ATAPHtmlReport**: If the parent folder of the path does not exist, adding *-Force* to the + cmdlet will create the folder for you. +- The **Windows 10** report also contains the **Windows 10 GDPR** benchmarks. + +### Added + +- The **Windows 10 GDPR** benchmarks were added +- The **Windows 10 GDPR** report was added +- The **Helpers\\RegistryToSeparateAudit.ps1** script that converts the registry settings of a + benchmark to a module. This is used for publishing to the old *Audit TAP* repository. +- The **Internet Explorer 11** benchmarks were added +- A changelog was added \ No newline at end of file diff --git a/Excel2016Audit/Excel2016Audit.psd1 b/Excel2016Audit/Excel2016Audit.psd1 deleted file mode 100644 index acfffa22..00000000 --- a/Excel2016Audit/Excel2016Audit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'Excel2016Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = '11e8228b-4c08-4253-9529-83882258b4a2' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Microsoft Excel 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'excel', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/Excel2016Audit/Excel2016Audit.psm1 b/Excel2016Audit/Excel2016Audit.psm1 deleted file mode 100644 index 89f818e8..00000000 --- a/Excel2016Audit/Excel2016Audit.psm1 +++ /dev/null @@ -1,429 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "MS_Excel_2016_DISA_STIG_V1R2.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-Excel2016HtmlReport` cmdlet tests Microsoft Excel 2016 settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-Excel2016HtmlReport -Path "reports/report1.html" -#> -function Save-Excel2016HtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Microsoft Excel 2016 Audit Report" ` - -ModuleName "Excel2016Audit" ` - -BasedOn "DISA Microsoft Excel 2016 Security Technical Implementation Guide V1R2 2017-10-27" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-Excel2016HtmlReport -Value Save-Excel2016HtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-Excel2016HtmlReport -Set-Alias -Name shr -Value Save-Excel2016HtmlReport -#endregion \ No newline at end of file diff --git a/Excel2016Audit/MS_Excel_2016_DISA_STIG_V1R2.psd1 b/Excel2016Audit/MS_Excel_2016_DISA_STIG_V1R2.psd1 deleted file mode 100644 index 2823312a..00000000 --- a/Excel2016Audit/MS_Excel_2016_DISA_STIG_V1R2.psd1 +++ /dev/null @@ -1,308 +0,0 @@ -# Requirements for Microsoft Excel 2016 DISA STIG V1R2 -# Created at 03/19/2019 00:45:19 - -@{ - RegistrySettings = @( - @{ - Id = "DTOO104" - Task = "Disabling of user name and password syntax from being used in URLs must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO105" - Task = "Open/Save actions for Excel 4 macrosheets and add-in files must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL4Macros" - Value = 2 - } - @{ - Id = "DTOO106" - Task = "Open/Save actions for Excel 4 workbooks must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL4Workbooks" - Value = 2 - } - @{ - Id = "DTOO107" - Task = "Open/Save actions for Excel 4 worksheets must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL4Worksheets" - Value = 2 - } - @{ - Id = "DTOO108" - Task = "Actions for Excel 95 workbooks must be configured to edit in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL95Workbooks" - Value = 5 - } - @{ - Id = "DTOO109" - Task = "Actions for Excel 95-97 workbooks and templates must be configured to edit in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\office\16.0\excel\security\fileblock" - Name = "XL9597WorkbooksandTemplates" - Value = 5 - } - @{ - Id = "DTOO110" - Task = "Blocking as default file block opening behavior must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "OpenInProtectedView" - Value = 0 - } - @{ - Id = "DTOO111" - Task = "Enabling IE Bind to Object functionality must be present." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO112" - Task = "Open/Save actions for Dif and Sylk files must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "DifandSylkFiles" - Value = 2 - } - @{ - Id = "DTOO113" - Task = "Open/Save actions for Excel 2 macrosheets and add-in files must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL2Macros" - Value = 2 - } - @{ - Id = "DTOO114" - Task = "Open/Save actions for Excel 2 worksheets must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL2Worksheets" - Value = 2 - } - @{ - Id = "DTOO115" - Task = "Open/Save actions for Excel 3 macrosheets and add-in files must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL3Macros" - Value = 2 - } - @{ - Id = "DTOO116" - Task = "Open/Save actions for Excel 3 worksheets must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "XL3Worksheets" - Value = 2 - } - @{ - Id = "DTOO117" - Task = "Saved from URL mark to assure Internet zone processing must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO119" - Task = "Configuration for file validation must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\filevalidation" - Name = "EnableOnLoad" - Value = 1 - } - @{ - Id = "DTOO120" - Task = "Open/Save actions for web pages and Excel 2003 XML spreadsheets must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "HtmlandXmlssFiles" - Value = 2 - } - @{ - Id = "DTOO121" - Task = "Files from the Internet zone must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview" - Name = "DisableInternetFilesInPV " - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO122" - Task = "Open/Save actions for dBase III / IV files must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock" - Name = "DBaseFiles" - Value = 2 - } - @{ - Id = "DTOO123" - Task = "Navigation to URLs embedded in Office products must be blocked." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO124" - Task = "Scripted Window Security must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO126" - Task = "Add-on Management functionality must be allowed." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO127" - Task = "Add-ins to Office applications must be signed by a Trusted Publisher." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security" - Name = "RequireAddinSig" - Value = 1 - } - @{ - Id = "DTOO129" - Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO131" - Task = "Trust Bar Notifications for unsigned application add-ins must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security" - Name = "NoTBPromptUnsignedAddin" - Value = 1 - } - @{ - Id = "DTOO132" - Task = "File Downloads must be configured for proper restrictions." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO133" - Task = "All automatic loading from trusted locations must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\trusted locations" - Name = "AllLocationsDisabled" - Value = 1 - } - @{ - Id = "DTOO134" - Task = "Disallowance of trusted locations on the network must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\trusted locations" - Name = "AllowNetworkLocations" - Value = 0 - } - @{ - Id = "DTOO139" - Task = "The Save commands default file format must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options" - Name = "DefaultFormat" - Value = 51 - } - @{ - Id = "DTOO142" - Task = "The scanning of encrypted macros in open XML documents must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security" - Name = "ExcelBypassEncryptedMacroScan " - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO145" - Task = "Macro storage must be in personal macro workbooks." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options\binaryoptions" - Name = "fGlobalSheet_37_1" - Value = 1 - } - @{ - Id = "DTOO146" - Task = "Trust access for VBA must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security" - Name = "AccessVBOM" - Value = 0 - } - @{ - Id = "DTOO209" - Task = "Protection from zone elevation must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO211" - Task = "ActiveX Installs must be configured for proper restriction." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "excel.exe" - Value = 1 - } - @{ - Id = "DTOO288" - Task = "Files in unsafe locations must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview" - Name = "DisableUnsafeLocationsInPV " - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO292" - Task = "Document behavior if file validation fails must be set." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\filevalidation" - Name = "openinprotectedview " - Value = 1 - DoesNotExist = $true - } - @{ - Id = "DTOO292_b" - Task = "Document behavior if file validation fails must be set." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\filevalidation" - Name = "DisableEditFromPV " - Value = 1 - } - @{ - Id = "DTOO293" - Task = "Excel attachments opened from Outlook must be in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\security\protectedview" - Name = "DisableAttachmentsInPV " - Value = 0 - } - @{ - Id = "DTOO304" - Task = "Warning Bar settings for VBA macros must be configured." - Path = "HKCU:\software\policies\Microsoft\office\16.0\excel\security" - Name = "vbawarnings" - Value = 2 - # Values of REG_DWORD = 3 or 4 are also acceptable values. - } - @{ - Id = "DTOO418" - Task = "WEBSERVICE functions must be disabled." - Path = "HKCU:\software\policies\Microsoft\office\16.0\excel\security" - Name = "webservicefunctionwarnings " - Value = 1 - DoesNotExist = $true - # If the value is REG_DWORD = 0 or 2, then this is a finding. - } - @{ - Id = "DTOO419" - Task = "Corrupt workbook options must be disallowed." - Path = "HKCU:\software\policies\Microsoft\office\16.0\excel\options" - Name = "extractdatadisableui" - Value = 1 - } - @{ - Id = "DTOO600" - Task = "Macros must be blocked from running in Office files from the Internet." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security" - Name = "blockcontentexecutionfrominternet" - Value = 1 - } - @{ - Id = "DTOO605" - Task = "Files on local Intranet UNC must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview" - Name = "DisableIntranetCheck" - Value = 0 - } - ) -} diff --git a/Excel2016Audit/README.md b/Excel2016Audit/README.md deleted file mode 100644 index cc8ae0bc..00000000 --- a/Excel2016Audit/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Excel 2016 Audit - -based on -* _DISA Microsoft Excel 2016 Security Technical Implementation Guide V1R2 2017-10-27_ - -## Overview - -The `Excel2016Audit`-Module benchmarks the current Microsoft Excel 2016 settings with current hardening standards from DISA. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Microsoft Excel 2016** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -### Loading the Excel 2016 Audit module - -You only need to import the module when you haven't installed it. - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Excel2016Audit -Verbose -``` -3. Generate a report with `Get-Excel2016HtmlReport` For example: -```PowerShell -Get-Excel2016HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. \ No newline at end of file diff --git a/Excel2016Audit/Settings.psd1 b/Excel2016Audit/Settings.psd1 deleted file mode 100644 index 63930f7b..00000000 --- a/Excel2016Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Microsoft Excel 2016 Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/GoogleChromeAudit/GoogleChromeAudit.psd1 b/GoogleChromeAudit/GoogleChromeAudit.psd1 deleted file mode 100644 index 95de00f0..00000000 --- a/GoogleChromeAudit/GoogleChromeAudit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'GoogleChromeAudit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = '8081a061-be9e-4a9a-bacc-a215e5615b7e' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Google Chrome settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'google chrome', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/GoogleChromeAudit/GoogleChromeAudit.psm1 b/GoogleChromeAudit/GoogleChromeAudit.psm1 deleted file mode 100644 index 91f6d389..00000000 --- a/GoogleChromeAudit/GoogleChromeAudit.psm1 +++ /dev/null @@ -1,430 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "Google_Chrome_DISA_STIG_V1R15.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -[OutputType([AuditInfo])] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-GoogleChromeHtmlReport` cmdlet tests Google Chrome settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-GoogleChromeHtmlReport -Path "reports/report1.html" -#> -function Save-GoogleChromeHtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Google Chrome Audit Report" ` - -ModuleName "GoogleChromeAudit" ` - -BasedOn "DISA Google Chrome Security Technical Implementation Guide V1R15 2019-01-25" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-GoogleChromeHtmlReport -Value Save-GoogleChromeHtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-GoogleChromeHtmlReport -Set-Alias -Name shr -Value Save-GoogleChromeHtmlReport -#endregion \ No newline at end of file diff --git a/GoogleChromeAudit/Google_Chrome_DISA_STIG_V1R15.psd1 b/GoogleChromeAudit/Google_Chrome_DISA_STIG_V1R15.psd1 deleted file mode 100644 index 40a8abdc..00000000 --- a/GoogleChromeAudit/Google_Chrome_DISA_STIG_V1R15.psd1 +++ /dev/null @@ -1,295 +0,0 @@ -# Requirements for Google Chrome DISA STIG V1R15 - -@{ - RegistrySettings = @( - @{ - Id = "DTBC-0001" - Task = "Firewall traversal from remote host must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "RemoteAccessHostFirewallTraversal" - Value = 0 - } - @{ - Id = "DTBC-0003" - Task = "Sites ability for showing desktop notifications must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultNotificationsSetting" - Value = 2 - } - @{ - Id = "DTBC-0004" - Task = "Sites ability to show pop-ups must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultPopupsSetting" - Value = 2 - } - @{ - Id = "DTBC-0002" - Task = "Site tracking users location must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultGeolocationSetting" - Value = 2 - } - @{ - Id = "DTBC-0005" - Task = "Extensions installation must be blacklisted by default." - Path = "HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlacklist" - Name = "1" - Value = "*" - } - @{ - Id = "DTBC-0006" - Task = "Extensions that are approved for use must be whitelisted." - Path = "HKLM:\Software\Policies\Google\Chrome\ExtensionInstallWhitelist" - Name = "ExtensionInstallWhitelist" - Value = 1 - }<# - @{ - Id = "DTBC-0007" - Task = "The default search providers name must be set." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultSearchProviderName" - Value = - } - @{ - Id = "DTBC-0008" - Task = "The default search provider URL must be set to perform encrypted searches." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultSearchProviderSearchURL" - Value = an organization-approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) this is a finding. - }#> - #Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display. - @{ - Id = "DTBC-0009" - Task = "Default search provider must be enabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultSearchProviderEnabled" - Value = 1 - } - @{ - Id = "DTBC-0011" - Task = "The Password Manager must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "PasswordManagerEnabled" - Value = 0 - } - @{ - Id = "DTBC-0013" - Task = "The running of outdated plugins must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome" - Name = "AllowOutdatedPlugins" - Value = 0 - } - @{ - Id = "DTBC-0015" - Task = "Third party cookies must be blocked." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "BlockThirdPartyCookies" - Value = 1 - } - @{ - Id = "DTBC-0017" - Task = "Background processing must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "BackgroundModeEnabled" - Value = 0 - } - @{ - Id = "DTBC-0019" - Task = "3D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.)" - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "Disable3DAPIs" - Value = 1 - } - @{ - Id = "DTBC-0020" - Task = "Google Data Synchronization must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "SyncDisabled" - Value = 1 - } - @{ - Id = "DTBC-0021" - Task = "The URL protocol schema javascript must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\URLBlacklist" - Name = "1" - Value = "javascript://*" - } - @{ - Id = "DTBC-0023" - Task = "Cloud print sharing must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "CloudPrintProxyEnabled" - Value = 0 - } - @{ - Id = "DTBC-0025" - Task = "Network prediction must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "NetworkPredictionOptions" - Value = 2 - } - @{ - Id = "DTBC-0026" - Task = "Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.)" - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "MetricsReportingEnabled" - Value = 0 - } - @{ - Id = "DTBC-0027" - Task = "Search suggestions must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "SearchSuggestEnabled" - Value = 0 - } - @{ - Id = "DTBC-0029" - Task = "Importing of saved passwords must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "ImportSavedPasswords" - Value = 0 - } - @{ - Id = "DTBC-0030" - Task = "Incognito mode must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "IncognitoModeAvailability" - Value = 1 - # DoesNotExist = $true - } - @{ - Id = "DTBC-0037" - Task = "Online revocation checks must be done." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "EnableOnlineRevocationChecks" - Value = 1 - } - @{ - Id = "DTBC-0038" - Task = "Safe Browsing must be enabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "SafeBrowsingEnabled" - Value = 1 - } - @{ - Id = "DTBC-0039" - Task = "Browser history must be saved." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "SavingBrowserHistoryDisabled" - Value = 0 - } - @{ - Id = "DTBC-0040" - Task = "Default behavior must block webpages from automatically running plugins." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultPluginsSetting" - Value = 3 - }<# - @{ - Id = "DTBC-0045" - Task = "Session only based cookies must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls" - Name = "" - Value = - }#> - @{ - Id = "DTBC-0051" - Task = "URLs must be whitelisted for plugin use" - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "PluginsAllowedForUrls" - Value = "Suggested: the set or subset of [*.]mil and [*.]gov" - } - @{ - Id = "DTBC-0052" - Task = "Deletion of browser history must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "AllowDeletingBrowserHistory" - Value = 0 - } - @{ - Id = "DTBC-0053" - Task = "Prompt for download location must be enabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "PromptForDownloadLocation" - Value = 1 - }<# - @{ - Id = "DTBC-0055" - Task = "Download restrictions must be configured." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DownloadRestrictions" - Value = 1" or "2" - }#> - @{ - Id = "DTBC-0064" - Task = "Autoplay must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "AutoplayAllowed" - Value = 0 - } - @{ - Id = "DTBC-0056" - Task = "Chrome must be configured to allow only TLS." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "SSLVersionMin" - Value = "tls1.1" - } - @{ - Id = "DTBC-0057" - Task = "Safe Browsing Extended Reporting must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "SafeBrowsingExtendedReportingEnabled" - Value = 0 - } - @{ - Id = "DTBC-0058" - Task = "WebUSB must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "DefaultWebUsbGuardSetting" - Value = 2 - }<# - @{ - Id = "DTBC-0065" - Task = "URLs must be whitelisted for Autoplay use." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "AutoplayWhitelist" - Value = Suggested: the set or subset of [*.]mil and [*.]gov - }#> - @{ - Id = "DTBC-0060" - Task = "Chrome Cleanup must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "ChromeCleanupEnabled" - Value = 0 - } - @{ - Id = "DTBC-0061" - Task = "Chrome Cleanup reporting must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "ChromeCleanupReportingEnabled" - Value = 0 - } - @{ - Id = "DTBC-0063" - Task = "Google Cast must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "EnableMediaRouter" - Value = 0 - } - @{ - Id = "DTBC-0066" - Task = "Anonymized data collection must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "UrlKeyedAnonymizedDataCollectionEnabled" - Value = 0 - } - @{ - Id = "DTBC-0067" - Task = "Collection of WebRTC event logs must be disabled." - Path = "HKLM:\Software\Policies\Google\Chrome\" - Name = "WebRtcEventLogCollectionAllowed" - Value = 0 - } - ) -} diff --git a/GoogleChromeAudit/README.md b/GoogleChromeAudit/README.md deleted file mode 100644 index b572b0ea..00000000 --- a/GoogleChromeAudit/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Google Chrome Audit - -based on -* _Google Chrome Security Technical Implementation Guide V1R15 2019-01-25._ - -## Overview - -The `GoogleChromeAudit`-Module benchmarks the current Google Chrome browser settings with current hardening standards from DISA Security Technical Implementation Guide. This module is designed for Google Chrome. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Google Chrome browser** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](https://github.com/fbprogmbh/Audit-Test-Automation/tree/master/ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the Google Chrome Audit module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\GoogleChromeAudit -Verbose -``` -3. Generate a report with `Get-GoogleChromeHtmlReport` For example: -```PowerShell -Get-GoogleChromeHtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. - -## Remarks - -None. diff --git a/GoogleChromeAudit/Settings.psd1 b/GoogleChromeAudit/Settings.psd1 deleted file mode 100644 index da58cfa8..00000000 --- a/GoogleChromeAudit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Google Chrome Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/IIS10Audit/IIS10Audit.psd1 b/IIS10Audit/IIS10Audit.psd1 deleted file mode 100644 index 695a238f..00000000 --- a/IIS10Audit/IIS10Audit.psd1 +++ /dev/null @@ -1,149 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'IIS10Audit.psm1' - -# Version number of this module. -ModuleVersion = '1.2.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = 'c413e507-5366-47aa-9694-5e42487500c6' - -# Author of this module -Author = 'Benedikt Böhme', 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2018 FB Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = 'A module that benchmarks the current systems settings with current hardening standards such as the CIS Microsoft IIS Benchmarks. This module is specifically designed for Windows Server 2016 with IIS 10.' - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'IISAdministration', - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @('LogFileModule') - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = @() - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = @() - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = @() - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'iis10', 'WindowsServer2016', 'cis') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/IIS10Audit/README.md b/IIS10Audit/README.md deleted file mode 100644 index 40603fe8..00000000 --- a/IIS10Audit/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# CIS IIS 10 Audit - -_based on CIS Microsoft IIS 10 Benchmark v1.1.0 - 12-11-2018"_ - -## Overview - -The `IIS10Audit`-Module benchmarks the current systems settings with current hardening standards such as the CIS Microsoft IIS Benchmarks. This module is specifically designed for Windows Server 2016 with IIS 10. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Windows Server 2016** comes out of the box with: - * **IIS 10** - * **PowerShell 5.1** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - - -## Installation - -The easiest way to get the module is by installing it with `Install-Module -Name IIS10Audit`. This also installs all the dependencies of this module. - -### Loading the IIS Audit module - -You only need to import the module when you haven't installed it. - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\IIS10Audit -Verbose -``` -3. Generate a report with `Get-IIS10HtmlReport` For example: -```PowerShell -Get-IIS10HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. \ No newline at end of file diff --git a/IIS10Audit/Sample/report.dark.html b/IIS10Audit/Sample/report.dark.html deleted file mode 100644 index d06271f1..00000000 --- a/IIS10Audit/Sample/report.dark.html +++ /dev/null @@ -1,49 +0,0 @@ -IIS 10 Benchmarks [08/23/2018 06:23:40]
FB-Pro GmbH

IIS 10 Benchmarks

Generated by the IIS10Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on CIS Microsoft IIS 10 Benchmark v1.0.0 - 03-31-2017.

This report was generated at 08/23/2018 06:23:40 on WIN-ALJMCIFOBRC.

HostnameWIN-ALJMCIFOBRC
Build Number14393
Free disk space (GB)16.3
Free physical memory (GB)0.896
Operating SystemMicrosoft Windows Server 2016 Standard Evaluation
IIS Version10.0.14393.0

Navigation

Click the link(s) below for quick access to a report section.

System Report^

Id Task Message Audit
1.5 Ensure 'unique application pools' is set for sites Following sites do not have unique Application Pools: Default Web Site/, SSLSite/, SSLSite/MyApp2, MyFTPSite/, MySite1/, MySite/, MySite/MyApp1, MySite/MyApp1/MySubApp1, MySite1/MyApp1, MySite1/MyApp1/MyApp2 False
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.1 Ensure 'deployment method retail' is set retail is not enabled in machine.config False
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
4.9 Ensure 'notListedIsapisAllowed' is set to false All Good True
4.10 Ensure 'notListedCgisAllowed' is set to false All Good True
5.2 Ensure Advanced IIS logging is enabled Advanced Logging is not available for IIS 10. See enhanced logging instead. None
6.1 Ensure FTP requests are encrypted Skipped this benchmark - right now Web-Ftp-Server is not installed None
6.2 Ensure FTP Logon attempt restrictions is enabled Skipped this benchmark - right now Web-Ftp-Server is not installed None
7.2 Ensure SSLv2 is disabled All Good True
7.3 Ensure SSLv3 is disabled All Good True
7.4 Ensure TLS 1.0 is disabled TLS 1.0 not disabled False
7.5 Ensure TLS 1.1 is enabled All Good True
7.6 Ensure TLS 1.2 is enabled All Good True
7.7 Ensure NULL Cipher Suites is disabled All Good True
7.8 Ensure DES Cipher Suites is disabled All Good True
7.9.1 Ensure RC4 Cipher Suites is disabled All Good True
7.9.2 Ensure RC4 Cipher Suites is disabled All Good True
7.9.3 Ensure RC4 Cipher Suites is disabled All Good True
7.9.4 Ensure RC4 Cipher Suites is disabled All Good True
7.10 Ensure Triple DES Cipher Suite is Disabled Triple DES Cipher is enabled False
7.11 Ensure AES 128/128 Cipher Suite is configured AES 128/128 Cipher is disbaled False
7.12 Ensure AES 256/256 Cipher Suite is enabled All Good True
7.13.1 Ensure TLS Cipher Suite ordering is correctly configured TLS Cipher Suite ordering does not match reference False
7.13.2 Ensure TLS Cipher Suite does not contain more ciphers TLS Cipher Suite contains more ciphers False

Full site report for: Default Web Site^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:80: False
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Full site report for: MySite^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set All Good True
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Deny IP Address based on the number of requests over a period of time disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at 0 False

Report for: /VD3^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at 0 False

Report for: /MyApp1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set It is recommended to set max-age to at least 480 seconds. Max-age is set at 1 Warning

Report for: /MyApp1/VD2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set It is recommended to set max-age to at least 480 seconds. Max-age is set at 1 Warning

Report for: /MyApp1/MySubApp1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set All Good. Max-age is set at 480 True

Report for: /MyApp1/MySubApp1/VD1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set All Good. Max-age is set at 480 True

Full site report for: SSLSite^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:443: False
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured All Good True
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off Custom errors are 'OFF' False
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off Custom errors are 'OFF' False
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled All Good True
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Full site report for: MyFTPSite^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:21: False
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled FTP is not disabled. FTP is using bindings and/or is at least installed. False

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Full site report for: MySite1^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:81: False
1.4 Ensure 'application pool identity' is configured All Good True
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /VD1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1/VD2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1/MyApp2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1/MyApp2/VD3^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False
diff --git a/IIS10Audit/Sample/report.html b/IIS10Audit/Sample/report.html deleted file mode 100644 index 8dae943b..00000000 --- a/IIS10Audit/Sample/report.html +++ /dev/null @@ -1,49 +0,0 @@ -IIS 10 Benchmarks [08/23/2018 06:22:35]
FB-Pro GmbH

IIS 10 Benchmarks

Generated by the IIS10Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on CIS Microsoft IIS 10 Benchmark v1.0.0 - 03-31-2017.

This report was generated at 08/23/2018 06:22:35 on WIN-ALJMCIFOBRC.

HostnameWIN-ALJMCIFOBRC
Build Number14393
Free disk space (GB)16.3
Free physical memory (GB)1.577
Operating SystemMicrosoft Windows Server 2016 Standard Evaluation
IIS Version10.0.14393.0

Navigation

Click the link(s) below for quick access to a report section.

System Report^

Id Task Message Audit
1.5 Ensure 'unique application pools' is set for sites Following sites do not have unique Application Pools: Default Web Site/, SSLSite/, SSLSite/MyApp2, MyFTPSite/, MySite1/, MySite/, MySite/MyApp1, MySite/MyApp1/MySubApp1, MySite1/MyApp1, MySite1/MyApp1/MyApp2 False
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.1 Ensure 'deployment method retail' is set retail is not enabled in machine.config False
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
4.9 Ensure 'notListedIsapisAllowed' is set to false All Good True
4.10 Ensure 'notListedCgisAllowed' is set to false All Good True
5.2 Ensure Advanced IIS logging is enabled Advanced Logging is not available for IIS 10. See enhanced logging instead. None
6.1 Ensure FTP requests are encrypted Skipped this benchmark - right now Web-Ftp-Server is not installed None
6.2 Ensure FTP Logon attempt restrictions is enabled Skipped this benchmark - right now Web-Ftp-Server is not installed None
7.2 Ensure SSLv2 is disabled All Good True
7.3 Ensure SSLv3 is disabled All Good True
7.4 Ensure TLS 1.0 is disabled TLS 1.0 not disabled False
7.5 Ensure TLS 1.1 is enabled All Good True
7.6 Ensure TLS 1.2 is enabled All Good True
7.7 Ensure NULL Cipher Suites is disabled All Good True
7.8 Ensure DES Cipher Suites is disabled All Good True
7.9.1 Ensure RC4 Cipher Suites is disabled All Good True
7.9.2 Ensure RC4 Cipher Suites is disabled All Good True
7.9.3 Ensure RC4 Cipher Suites is disabled All Good True
7.9.4 Ensure RC4 Cipher Suites is disabled All Good True
7.10 Ensure Triple DES Cipher Suite is Disabled Triple DES Cipher is enabled False
7.11 Ensure AES 128/128 Cipher Suite is configured AES 128/128 Cipher is disbaled False
7.12 Ensure AES 256/256 Cipher Suite is enabled All Good True
7.13.1 Ensure TLS Cipher Suite ordering is correctly configured TLS Cipher Suite ordering does not match reference False
7.13.2 Ensure TLS Cipher Suite does not contain more ciphers TLS Cipher Suite contains more ciphers False

Full site report for: Default Web Site^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:80: False
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Full site report for: MySite^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set All Good True
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Deny IP Address based on the number of requests over a period of time disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at 0 False

Report for: /VD3^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at 0 False

Report for: /MyApp1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set It is recommended to set max-age to at least 480 seconds. Max-age is set at 1 Warning

Report for: /MyApp1/VD2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set It is recommended to set max-age to at least 480 seconds. Max-age is set at 1 Warning

Report for: /MyApp1/MySubApp1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed All Good True
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set All Good. Max-age is set at 480 True

Report for: /MyApp1/MySubApp1/VD1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled Directory Browsing is enabled False
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access All Good True
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set All Good. Max-age is set at 480 True

Full site report for: SSLSite^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:443: False
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured All Good True
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off Custom errors are 'OFF' False
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off Custom errors are 'OFF' False
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled All Good True
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Full site report for: MyFTPSite^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:21: False
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled FTP is not disabled. FTP is using bindings and/or is at least installed. False

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Full site report for: MySite1^

Id Task Message Audit
1.1 Ensure web content is on non-system partition Web content is on system partition False
1.2 Ensure 'host headers' is set The following bindings do no specify a host: *:81: False
1.4 Ensure 'application pool identity' is configured All Good True
1.4 Ensure 'application pool identity' is configured All Good True
2.6 Ensure transport layer security for 'basic authentication' is configured SSL is not required in configuration False
3.8 Ensure 'MachineKey validation method - .Net 3.5' is configured All Good True
3.9 Ensure 'MachineKey validation method - .Net 4.5' is configured Validation set to SHA1 False
3.10 Ensure global .NET trust level is configured All Good True
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled Dynamic IP Restriction disabled False
5.1 Ensure Default IIS web log location is moved Logfile location is on system drive: C:\inetpub\logs\LogFiles False
5.3 Ensure 'ETW Logging' is enabled ETW Logging disabled False
6.0 Ensure FTP is disabled All Good True

Report for: /^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /VD1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1/VD2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1/MyApp2^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False

Report for: /MyApp1/MyApp2/VD3^

Id Task Message Audit
1.3 Ensure 'directory browsing' is set to disabled All Good True
1.6 Ensure 'application pool identity' is configured for anonymous user identity Username is set to: IUSR False
2.1 Ensure 'global authorization rule' is set to restrict access Authorization rule to allow all or anonymous users is set False
2.2 Ensure access to sensitive site features is restricted to authenticated principals only All Good True
2.3 Ensure 'forms authentication' require SSL All Good True
2.4 Ensure 'forms authentication' is set to use cookies All Good True
2.5 Ensure 'cookie protection mode' is configured for forms authentication All Good True
2.7 Ensure 'passwordFormat' is not set to clear All Good True
2.8 Ensure 'credentials' are not stored in configuration files All Good True
3.2 Ensure 'debug' is turned off All Good True
3.3 Ensure custom error messages are not off All Good True
3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely All Good True
3.5 Ensure ASP.NET stack tracing is not enabled All Good True
3.6 Ensure 'httpcookie' mode is configured for session state All Good True
3.7 Ensure 'cookies' are set with HttpOnly attribute httpOnlyCookies set to False False
4.1 Ensure 'maxAllowedContentLength' is configured All Good - maxContentLength: 30000000 True
4.2 Ensure 'maxURL request filter' is configured All Good - maxURLRequestFilter: 4096 True
4.3 Ensure 'MaxQueryString request filter' is configured All Good - maxQueryStringRequestFilter: 2048 True
4.4 Ensure non-ASCII characters in URLs are not allowed non-ASCII characters in URLs are allowed False
4.5 Ensure Double-Encoded requests will be rejected All Good True
4.6 Ensure 'HTTP Trace Method' is disabled HTTP Trace Method is not filtered False
4.7 Ensure Unlisted File Extensions are not allowed Unlisted file extensions allowed False
4.8 Ensure Handler is not granted Write and Script/Execute All Good True
7.1 Ensure HSTS Header is set HSTS Header not set False
diff --git a/IIS10Audit/Settings.psd1 b/IIS10Audit/Settings.psd1 deleted file mode 100644 index 9eca194d..00000000 --- a/IIS10Audit/Settings.psd1 +++ /dev/null @@ -1,35 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Settings = @{} -} \ No newline at end of file diff --git a/IIS8Audit/IIS8Audit.psd1 b/IIS8Audit/IIS8Audit.psd1 deleted file mode 100644 index e042b93e..00000000 --- a/IIS8Audit/IIS8Audit.psd1 +++ /dev/null @@ -1,149 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'IIS8Audit.psm1' - -# Version number of this module. -ModuleVersion = '1.0.0.0' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = 'ca22a5c4-f239-4b80-96b5-d757b8432c68' - -# Author of this module -Author = 'Benedikt Böhme', 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2018 FB Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = 'A module that benchmarks the current systems settings with current hardening standards such as the CIS Microsoft IIS Benchmarks. This module is specifically designed for Windows Server 2012 with IIS 8.' - -# Minimum version of the Windows PowerShell engine required by this module -# PowerShellVersion = '' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'IISAdministration', - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @('LogFileModule') - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = @() - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = @() - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = @() - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'iis8', 'WindowsServer2012', 'cis') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/IIS8Audit/IIS8Audit.psm1 b/IIS8Audit/IIS8Audit.psm1 deleted file mode 100644 index 3d1a3b79..00000000 --- a/IIS8Audit/IIS8Audit.psm1 +++ /dev/null @@ -1,2803 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -#region Authors(s) -# -# Author(s): Benedikt Böhme, Dennis Esly -# Date: 31/05/2018 -# Last change: 08/20/2018 -# Version: 1.0.0.1 -# -#endregion - -using module ATAPHtmlReport -using namespace Microsoft.Web.Administration -using namespace Microsoft.Windows.ServerManager.Commands - -#region Import Settings -Import-LocalizedData -FileName Settings.ps1 -BindingVariable ConfigFile -#endregion - - -#region Helper Functions -$MESSAGE_ALLGOOD = "All Good" -# $VIRTUALPATH_REGISTRY = "REGISTRY" - -class VirtualPathAudit { - [string] $VirtualPath - [AuditInfo[]] $AuditInfos -} - -class SiteAudit { - [string] $SiteName - [AuditInfo[]] $AuditInfos - - [VirtualPathAudit[]] $VirtualPathAudits -} - -function Get-IISSiteVirtualPaths { - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site, - - [switch] $AllVirtualDirectories - ) - - process { - foreach ($App in $Site.Applications) { - Write-Output ($App.Path) - - if ($AllVirtualDirectories) { - foreach ($VirtualDirectory in $App.VirtualDirectories) { - if ($VirtualDirectory.Path -ne "/") { - $AppPath = if ($App.Path -ne "/") { - $App.Path - } - else { - "" - } - Write-Output ($AppPath + $VirtualDirectory.Path) - } - } - } - } - } -} - -function Get-IISModules { - (Get-IISConfigSection -SectionPath "system.webServer/modules").GetCollection() ` - | Get-IISConfigAttributeValue -AttributeName "Name" -} -#endregion - -#region 1 Basic Configuration -# -# This section contains basic Web server-level recommendations - -# 1.1 -function Test-IISVirtualDirPartition { - <# - .Synopsis - Ensure web content is on non-system partition - .Description - Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. It is recommended to map all Virtual Directories to a non-system disk volume. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $SystemDrive = [system.environment]::getenvironmentvariable("SystemDrive") - $Path = $Site.Applications["/"].VirtualDirectories["/"].PhysicalPath - - if ($Path.StartsWith("%SystemDrive%") -or $Path.StartsWith($SystemDrive)) { - $message = "Web content is on system partition" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "1.1" - Task = "Ensure web content is on non-system partition" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 1.2 -function Test-IISHostHeaders { - <# - .Synopsis - Ensure 'host headers' are on all sites - .DESCRIPTION - Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites. Wildcard host headers are now supported. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - [array]$Bindings = $Site.Bindings | Where-Object { [string]::IsNullOrEmpty($_.Host) } - - if ($Bindings.Count -gt 0) { - $message = "The following bindings do no specify a host: " + ($Bindings.bindingInformation -join ", ") - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "1.2" - Task = "Ensure 'host headers' is set" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 1.3 -function Test-IISDirectoryBrowsing { - <# - .Synopsis - Ensure 'directory browsing' is set to disabled - .Description - Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met: - - 1. No specific file is requested in the URL - 2. The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list - - It is recommended that directory browsing be disabled. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure directory browsing is installed - if ((Get-WindowsFeature Web-Dir-Browsing).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/directoryBrowse" - $section = $Configuration.GetSection($path) - - $Enabled = $section | Get-IISConfigAttributeValue -AttributeName "enabled" - - if ($Enabled -eq $true) { - $message = "Directory Browsing is enabled" - $audit = [AuditStatus]::False - } - elseif ($null -eq $Enabled) { - $message = "Directory Browsing not explicit set to false" - $audit = [AuditStatus]::Warning - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "1.3" - Task = "Ensure 'directory browsing' is set to disabled" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 1.4 -function Test-IISAppPoolIdentity { - <# - .Synopsis - Ensure 'application pool identity' is configured for all application pools - .Description - Application Pool Identities are the actual users/authorities that will run the worker process - w3wp.exe. Assigning the correct user authority will help ensure that applications can function properly, while not giving overly permissive permissions on the system. These identities can further be used in ACLs to protect system content. It is recommended that each Application Pool run under a unique identity. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [ApplicationPool] $AppPool - ) - - begin { - $AppPoolUsers = (Get-IISAppPool).ProcessModel.Username | Group-Object -NoElement - } - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if ($AppPool.ProcessModel.IdentityType -eq [ProcessModelIdentityType]::SpecificUser) { - # Get the username of the specific application - $Username = $AppPool.ProcessModel.UserName - - if (($AppPoolUsers | Where-Object Name -eq $Username).Count -gt 1) { - $message = "ApplicationPoolIdentity $Username is used for more than one ApplicationPool" - $audit = [AuditStatus]::False - } - else { - $message = "Unique ApplicationPoolIdentity $Username is used." - $audit = [AuditStatus]::True - } - } - elseif ($AppPool.ProcessModel.IdentityType -ne [ProcessModelIdentityType]::ApplicationPoolIdentity) { - $message = "ApplicationPoolIdentity is not set" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "1.4" - Task = "Ensure 'application pool identity' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 1.5 -function Test-IISUniqueSiteAppPool { - <# - .Synopsis - Ensure 'unique application pools' is set for sites - .Description - IIS introduced a new security feature called Application Pool Identities that allows Application Pools to be run under unique accounts without the need to create and manage local or domain accounts. It is recommended that all Sites run under unique, dedicated Application Pools. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $Apps = foreach ($Site in (Get-IISSite)) { - foreach ($App in $Site.Applications) { - New-Object -TypeName PSObject -Property @{ - VirtualPath = $Site.name + $App.path - ApplicationPoolName = $App.ApplicationPoolName - } - } - } - - [array]$Findings = $Apps ` - | Group-Object -Property ApplicationPoolName ` - | Where-Object -Property Count -gt 1 - - if ($Findings.Count -gt 0) { - $message = "Following sites do not have unique Application Pools: " + ($findings.Group.VirtualPath -join ", ") - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "1.5" - Task = "Ensure 'unique application pools' is set for sites" - Message = $message - Audit = $audit - } | Write-Output -} - -# 1.6 -function Test-IISAnonymouseUserIdentity { - <# - .Synopsis - Ensure 'application pool identity' is configured for anonymous user identity - .Description - To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a Web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier. It is recommended the Application Pool Identity be set as the Anonymous User Identity. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.webServer/security/authentication/anonymousAuthentication" - $section = $Configuration.GetSection($path) - - $username = $section | Get-IISConfigAttributeValue -AttributeName "userName" - - if ($username -ne "") { - $message = "Username is set to: $username" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "1.6" - Task = "Ensure 'application pool identity' is configured for anonymous user identity" - Message = $message - Audit = $audit - } | Write-Output - } -} - -#endregion - -#region 2 Configure Authentication and Authorization -# -# This section contains recommendations around the different layers of authentication in IIS. - -# 2.1 -function Test-IISGlobalAuthorization { - <# - .Synopsis - Ensure 'global authorization rule' is set to restrict access - .Description - IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g. static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure URL Authentication is installed - if ((Get-WindowsFeature Web-Url-Auth).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/authorization" - $section = $Configuration.GetSection($path) - - [array]$elements = $section.GetCollection() ` - | Where-Object { - $accessType = $_ | Get-IISConfigAttributeValue -AttributeName "accessType" - $users = $_ | Get-IISConfigAttributeValue -AttributeName "users" - $roles = $_ | Get-IISConfigAttributeValue -AttributeName "roles" - ($accessType -eq "Allow") -and ($users -eq "*" -or $roles -eq "?") - } - - if ($elements.Count -ne 0) { - $message = "Authorization rule to allow all or anonymous users is set" - $audit = [AuditStatus]::False - } - } - else { - $message = "URL Authorization is not installed" - $audit = [AuditStatus]::Warning - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.1" - Task = "Ensure 'global authorization rule' is set to restrict access" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.2 -function Test-IISAuthenticatedPricipals { - <# - .Synopsis - Ensure access to sensitive site features is restricted to authenticated principals only - .Description - IIS supports both challenge-based and login redirection-based authentication methods. Challenge-based authentication methods, such as Integrated Windows Authentication, require a client to respond correctly to a server-initiated challenge. A login redirection-based authentication method such as Forms Authentication relies on redirection to a login page to determine the identity of the principal. Challenge-based authentication and login redirection-based authentication methods cannot be used in conjunction with one another. - - It is recommended that sites containing sensitive information, confidential data, or non-public web services be configured with a credentials-based authentication mechanism. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/authentication" - $section = $Configuration.GetSection($path) - - $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" - - if (($mode -ne "Windows") -and ($mode -ne "Forms")) { - $message = "Check authentication principals" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.2" - Task = "Ensure access to sensitive site features is restricted to authenticated principals only" - Message = $message - Audit = $audit - } | Write-Output - } - -} - -# 2.3 -function Test-IISFormsAuthenticationSSL { - <# - .Synopsis - Ensure 'forms authentication' require SSL - .Description - Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible. It is recommended that communications with any portion of a site using Forms Authentication be encrypted using SSL. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/authentication" - $section = $Configuration.GetSection($path) - - $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" - - if ((Get-IISModules) -contains "FormsAuthentication") { - # Ensure authentication mode is set to Forms - if ($mode -eq "Forms") { - - $requireSSL = $section ` - | Get-IISConfigElement -ChildElementName "forms" ` - | Get-IISConfigAttributeValue -AttributeName "requireSSL" - - if (-not $requireSSL) { - $message = "Forms authentication does not require SSL" - $audit = [AuditStatus]::False - } - } - } - else { - $message = "Forms authentication is not installed" - $audit = [AuditStatus]::Warning - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.3" - Task = "Ensure 'forms authentication' require SSL" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.4 -function Test-IISFormsAuthenticationCookies { - <# - .Synopsis - Ensure 'forms authentication' is set to use cookies - .Description - Forms Authentication can be configured to maintain the site visitor's session identifier in either a URI or cookie. It is recommended that Forms Authentication be set to use cookies. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/authentication" - $section = $Configuration.GetSection($path) - - $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" - - if ((Get-IISModules) -contains "FormsAuthentication") { - if ($mode -eq "Forms") { - $cookieless = $section | Get-IISConfigElement -ChildElementName "forms" ` - | Get-IISConfigAttributeValue -AttributeName "cookieless" - - if ($cookieless -ne "UseCookies") { - $message = "Forms authentication is not set to use cookies" - $audit = [AuditStatus]::False - } - } - } - else { - $message = "Forms authentication is not installed" - $audit = [AuditStatus]::Warning - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.4" - Task = "Ensure 'forms authentication' is set to use cookies" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.5 -function Test-IISFormsAuthenticationProtection { - <# - .Synopsis - Ensure 'cookie protection mode' is configured for forms authentication - .Description - The cookie protection mode defines the protection Forms Authentication cookies will be given within a configured application. - - It is recommended that cookie protection mode always encrypt and validate Forms Authentication cookies. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/authentication" - $section = $Configuration.GetSection($path) - - $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" - - if ((Get-IISModules) -contains "FormsAuthentication") { - if ($mode -ieq "Forms") { - $protection = $section ` - | Get-IISConfigElement -ChildElementName "forms" ` - | Get-IISConfigAttributeValue -AttributeName "protection" - - if ($protection -ne "All") { - $message = "Cookie Protection Mode is not set to ALL" - $audit = [AuditStatus]::False - } - } - } - else { - $message = "Forms authentication is not installed" - $audit = [AuditStatus]::Warning - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.5" - Task = "Ensure 'cookie protection mode' is configured for forms authentication" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.6 -function Test-IISTLSForBasicAuth { - <# - .Synopsis - Ensure transport layer security for 'basic authentication' is configured - .Description - Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted, especially in cases where the site is publicly accessible and is recommended that TLS be configured and required for any Site or Application using Basic Authentication. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if ((Get-WindowsFeature Web-Basic-Auth).InstallState -eq [InstallState]::Installed) { - [array]$httpsBindings = $Site.Bindings | Where-Object -Property Protocol -eq "https" - - $sslFlags = Get-IISConfigSection -Location $Site.Name ` - -SectionPath "system.webServer/security/access" ` - | Get-IISConfigAttributeValue -AttributeName "sslFlags" - - # split the flags into an array - $sslValues = $sslFlags.Split("{,}") - - # Ensure ssl-flag is set - if (-not ($sslValues -contains "ssl")) { - $message = "SSL is not required in configuration" - $audit = [AuditStatus]::False - } - # Ensure site has https bindings - elseif ($httpsBindings.Count -eq 0) { - $message = "Site has no secure protocol binding" - $audit = [AuditStatus]::False - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.6" - Task = "Ensure transport layer security for 'basic authentication' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.7 -function Test-IISPasswordFormatNotClear { - <# - .Synopsis - Ensure 'passwordFormat' is not set to clear - .Description - The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/authentication" - $section = $Configuration.GetSection($path) - - $passwordFormat = $section ` - | Get-IISConfigElement -ChildElementName "forms" ` - | Get-IISConfigElement -ChildElementName "credentials" ` - | Get-IISConfigAttributeValue -AttributeName "passwordFormat" - - if ($passwordFormat -eq "Clear" ) { - $message = "Credentials passwordFormat set to 'Clear'" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.7" - Task = "Ensure 'passwordFormat' is not set to clear" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.7 -function Test-IISPasswordFormatNotClearMachineLevel { - <# - .Synopsis - Ensure 'passwordFormat' is not set to clear - .Description - The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() - $passwordFormat = $machineConfig.GetSection("system.web/authentication").forms.credentials.passwordFormat - - if ($passwordFormat -eq "Clear" ) { - $message = "Credentials passwordFormat set to 'Clear'" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.7" - Task = "Ensure 'passwordFormat' is not set to clear" - Message = $message - Audit = $audit - } | Write-Output -} - -# 2.8 -function Test-IISCredentialsNotStored { - <# - .Synopsis - Ensure 'credentials' are not stored in configuration files - .Description - The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended to avoid storing passwords in the configuration file even in form of hash. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/authentication" - $section = $Configuration.GetSection($path) - - $credentials = $section ` - | Get-IISConfigElement -ChildElementName "forms" ` - | Get-IISConfigElement -ChildElementName "credentials" - - if ($credentials.IsLocallyStored) { - $message = "'credentials' is stored in configuration" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.8" - Task = "Ensure 'credentials' are not stored in configuration files" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 2.8 -function Test-IISCredentialsNotStoredMachineLevel { - <# - .Synopsis - Ensure 'credentials' are not stored in configuration files - .Description - The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended to avoid storing passwords in the configuration file even in form of hash. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() - $credentials = $machineConfig.GetSection("system.web/authentication").forms.credentials - - if ($credentials.ElementInformation.IsPresent) { - $message = "'credentials' is stored in configuration" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "2.8" - Task = "Ensure 'credentials' are not stored in configuration files" - Message = $message - Audit = $audit - } | Write-Output -} - -#endregion - -#region 3 ASP.NET Configuration Recommendation -# -# This section contains recommendations specific to ASP.NET. - -# 3.1 -function Test-IISDeploymentMethodRetail { - <# - .Synopsis - Ensure 'deployment method retail' is set - .Description - The switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application's ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch. Often times, switches and options that are developer-focused, such as failed request tracing and debugging, are enabled during active development. It is recommended that the deployment method on any production server be set to retail. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() - $deployment = $machineConfig.GetSection("system.web/deployment") - - if (-not $deployment.retail) { - $message = "retail is not enabled in machine.config" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.1" - Task = "Ensure 'deployment method retail' is set" - Message = $message - Audit = $audit - } | Write-Output -} - -# 3.2 -function Test-IISDebugOff { - <# - .Synopsis - Ensure 'debug' is turned off - .Description - Developers often enable the debug mode during active ASP.NET development so that they do not have to continually clear their browsers cache every time they make a change to a resource handler. The problem would arise from this being left "on" or set to "true". Compilation debug output is displayed to the end user, allowing malicious persons to obtain detailed information about applications. - - is recommended that debugging still be turned off. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/compilation" - $section = $Configuration.GetSection($path) - - $debug = $section | Get-IISConfigAttributeValue -AttributeName "debug" - - if ($debug) { - $message = "Debug is ON" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.2" - Task = "Ensure 'debug' is turned off" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.3 -function Test-IISCustomErrorsNotOff { - <# - .Synopsis - Ensure custom error messages are not off - .Description - When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether or not the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. - - It is recommended that customErrors still be turned to On or RemoteOnly. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/customErrors" - $section = $Configuration.GetSection($path) - - $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" - - if ($mode -eq "Off") { - $message = "Custom errors are 'OFF'" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.3" - Task = "Ensure custom error messages are not off" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.4 -function Test-IISHttpErrorsHidden { - <# - .Synopsis - Ensure IIS HTTP detailed errors are hidden from displaying remotely - .Description - A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the element of the section. It is recommended that custom errors be prevented from displaying remotely. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.webServer/httpErrors" - $section = $Configuration.GetSection($path) - - $errorMode = $section | Get-IISConfigAttributeValue -AttributeName "errorMode" - - if (($errorMode -ne "Custom") -and ($errorMode -ne "DetailedLocalOnly")) { - $message = "HTTP detailed errors are set to 'Detailed'" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.4" - Task = "Ensure IIS HTTP detailed errors are hidden from displaying remotely" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.5 -function Test-IISAspNetTracingDisabled { - <# - .Synopsis - Ensure ASP.NET stack tracing is not enabled - .Description - A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the element of the section. It is recommended that custom errors be prevented from displaying remotely. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/trace" - $section = $Configuration.GetSection($path) - - $traceEnabled = $section | Get-IISConfigAttributeValue -AttributeName "enabled" - - if ($traceEnabled) { - $message = "trace is enabled" - $audit = [AuditStatus]::FALSE - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.5" - Task = "Ensure ASP.NET stack tracing is not enabled" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.5 -function Test-IISAspNetTracingDisabledMachineLevel { - <# - .Synopsis - Ensure ASP.NET stack tracing is not enabled - .Description - A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the element of the section. It is recommended that custom errors be prevented from displaying remotely. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() - $trace = $machineConfig.GetSection("system.web/trace") - - if ($trace.enabled) { - $message = "trace is enabled in machine.config" - $audit = [AuditStatus]::FALSE - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.5" - Task = "Ensure ASP.NET stack tracing is not enabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 3.6 -function Test-IISCookielessSessionState { - <# - .Synopsis - Ensure 'httpcookie' mode is configured for session state - .Description - A session cookie associates session information with client information for that session, which can be the duration of a user's connection to a site. The cookie is passed in a HTTP header together with all requests between the client and server. - - It is recommended that session state be configured to UseCookies. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/sessionState" - $section = $Configuration.GetSection($path) - - $cookieless = $section | Get-IISConfigAttributeValue -AttributeName "cookieless" - - if (($cookieless -ne "UseCookies") -and ($cookieless -ne "False")) { - $message = "sessionState set to $cookieless" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.6" - Task = "Ensure 'httpcookie' mode is configured for session state" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.7 -function Test-IISCookiesHttpOnly { - <# - .Synopsis - Ensure 'cookies' are set with HttpOnly attribute - .Description - The httpOnlyCookies attribute of the httpCookies node determines if IIS will set the HttpOnly flag on HTTP cookies it sets. The HttpOnly flag indicates to the user agent that the cookie must not be accessible by client-side script (i.e document.cookie). It is recommended that the httpOnlyCookies attribute be set to true. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.web/httpCookies" - $section = $Configuration.GetSection($path) - - $httpOnlyCookies = $section | Get-IISConfigAttributeValue -AttributeName "httpOnlyCookies" - - if (-not $httpOnlyCookie) { - $message = "httpOnlyCookies set to $httpOnlyCookies" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.7" - Task = "Ensure 'cookies' are set with HttpOnly attribute" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.8 -function Test-IISMachineKeyValidation { - <# - .Synopsis - Ensure 'MachineKey validation method - .Net 3.5' is configured - .Description - The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification. - - It is recommended that AES or SHA1 methods be configured for use at the global level. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $siteAppPool = $Site.Applications["/"].ApplicationPoolName - $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion - - # Ensure ApplicationPool running is .NET 3.5 (which is an extension of 2.0 so we look for 2.*) - if ($appPoolVersion -like "v2.*") { - - $validation = Get-IISConfigSection -CommitPath $Site.Name ` - -SectionPath "system.web/machineKey" ` - | Get-IISConfigAttributeValue -AttributeName "Validation" - - if ($validation -ne "SHA1") { - $message = "Validation set to $validation" - $audit = [AuditStatus]::False - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.8" - Task = "Ensure 'MachineKey validation method - .Net 3.5' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.9 -function Test-IISMachineKeyValidationV45 { - <# - .Synopsis - Ensure 'MachineKey validation method - .Net 4.5' is configured - .Description - The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification. - - It is recommended that SHA-2 methods be configured for use at the global level. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $siteAppPool = $site.Applications["/"].ApplicationPoolName - $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion - - # Ensure an ApplicationPool is running .NET 4.5 - if ($appPoolVersion -like "v4.*") { - $validation = Get-IISConfigSection -CommitPath $Site.name ` - -SectionPath "system.web/machineKey" ` - | Get-IISConfigAttributeValue -AttributeName "Validation" - - if (($validation -ne "HMACSHA256") -and ($validation -ne "HMACSHA512")) { - $message = "Validation set to $validation" - $audit = [AuditStatus]::False - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.9" - Task = "Ensure 'MachineKey validation method - .Net 4.5' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 3.10 -function Test-IISDotNetTrustLevel { - <# - .Synopsis - Ensure global .NET trust level is configured - .Description - An application's trust level determines the permissions that are granted by the ASP.NET code access security (CAS) policy. CAS defines two trust categories: full trust and partial trust. An application that has full trust permissions may access all resource types on a server and perform privileged operations, while applications that run with partial trust have varying levels of operating permissions and access to resources. - - It is recommended that the global .NET Trust Level be set to Medium or lower. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $siteAppPool = $site.Applications["/"].ApplicationPoolName - $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion - - $level = Get-IISConfigSection -CommitPath $Site.name ` - -SectionPath "system.web/trust" ` - | Get-IISConfigAttributeValue -AttributeName "level" - - # medium trust level should be set in .NET 2.*, but not in later versions - if (($appPoolVersion -like "v2.*" -and $level -ne "medium") -or $appPoolVersion -notlike "v4.*") { - $message = "TrustLevel set to $level" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "3.10" - Task = "Ensure global .NET trust level is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -#endregion - -#region 4 Request Filtering and Other Restriction Modules -# -# Request Filtering is a powerful module that provides a configurable set of rules that enables administrators to allow or reject the types of requests that they determine should be allowed or rejected at the server, web site, or web application levels. - - -# 4.1 -function Test-IISMaxAllowedContentLength { - <# - .Synopsis - Ensure 'maxAllowedContentLength' is configured - .Description - The maxAllowedContentLength Request Filter is the maximum size of the http request, measured in bytes, which can be sent from a client to the server. Configuring this value enables the total request size to be restricted to a configured value. It is recommended that the overall size of requests be restricted to a maximum value appropriate for the server, site, or application. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure request filering is installed - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - $section = $Configuration.GetSection($path) - - $maxContentLength = $section ` - | Get-IISConfigElement -ChildElementName "requestLimits" ` - | Get-IISConfigAttributeValue -AttributeName "maxAllowedContentLength" - - if ($maxContentLength -ge 0) { - $message += "`n maxContentLength: $maxContentLength" - } - else { - $message = "maxContentLength not configured" - $audit = [AuditStatus]::False - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.1" - Task = "Ensure 'maxAllowedContentLength' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.2 -function Test-IISMaxURLRequestFilter { - <# - .Synopsis - Ensure 'maxURL request filter' is configured - .Description - The maxURL attribute of the property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept. It is recommended that a limit be put on the length of URL. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure request filering is installed - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - $section = $Configuration.GetSection($path) - - $maxURLRequestFilter = $section ` - | Get-IISConfigElement -ChildElementName "requestLimits" ` - | Get-IISConfigAttributeValue -AttributeName "maxURL" - - if ($maxURLRequestFilter -ge 1) { - $message += "`n maxURLRequestFilter: $maxURLRequestFilter" - } - else { - $message = "maxURLRequestFilter not configured" - $audit = [AuditStatus]::False - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.2" - Task = "Ensure 'maxURL request filter' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.3 -function Test-IISMaxQueryStringRequestFilter { - <# - .Synopsis - Ensure 'MaxQueryString request filter' is configured - .Description - The MaxQueryString Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications. It is recommended that values always be established to limit the amount of data will can be accepted in the query string. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure request filering is installed - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - $section = $Configuration.GetSection($path) - - $maxQueryStringRequestFilter = $section ` - | Get-IISConfigElement -ChildElementName "requestLimits" ` - | Get-IISConfigAttributeValue -AttributeName "maxQueryString" - - if ($maxQueryStringRequestFilter -ge 1) { - $message += "`n maxQueryStringRequestFilter: $maxQueryStringRequestFilter" - } - else { - $message = "maxQueryStringRequestFilter not configured" - $audit = [AuditStatus]::False - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.3" - Task = "Ensure 'MaxQueryString request filter' is configured" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.4 -function Test-IISNonASCIICharURLForbidden { - <# - .Synopsis - Ensure non-ASCII characters in URLs are not allowed - .Description - This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters. It is recommended that requests containing non-ASCII characters be rejected, where possible. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure request filering is installed - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - $section = $Configuration.GetSection($path) - - $allowHighBitCharacters = $section ` - | Get-IISConfigAttributeValue -AttributeName "allowHighBitCharacters" - - if ($allowHighBitCharacters) { - $message = "non-ASCII characters in URLs are allowed" - $audit = [AuditStatus]::False - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.4" - Task = "Ensure non-ASCII characters in URLs are not allowed" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.5 -function Test-IISRejectDoubleEncodedRequests { - <# - .Synopsis - Ensure Double-Encoded requests will be rejected - .Description - This Request Filter feature prevents attacks that rely on double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS will go through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter was the VerifyNormalization option in UrlScan. It is recommended that double-encoded requests be rejected. - #> - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure request filering is installed - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - $section = $Configuration.GetSection($path) - - $allowDoubleEscaping = $section` - | Get-IISConfigAttributeValue -AttributeName "allowDoubleEscaping" - - if ($allowDoubleEscaping) { - $message = "Rejecting Double-Encoded requests not set" - $audit = [AuditStatus]::False - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.5" - Task = "Ensure Double-Encoded requests will be rejected" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.6 -function Test-IISHTTPTraceMethodeDisabled { - <# - .Synopsis - Ensure 'HTTP Trace Method' is disabled - .Description - The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request. One such way to mitigate this is by using the element of the collection. The element replaces the [AllowVerbs] and [DenyVerbs] features in UrlScan. It is recommended the HTTP TRACE method be denied. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = "HTTP Trace Method is not filtered" - $audit = [AuditStatus]::False - - # Ensure request filering is installed - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - $section = $Configuration.GetSection($path) - - [array]$httpTraceMethod = $section.GetCollection("verbs") ` - | Where-Object { - $trace = $_ | Get-IISConfigAttributeValue -AttributeName "verb" - $allowed = $_ | Get-IISConfigAttributeValue -AttributeName "allowed" - ($trace -eq "trace") -and (-not $allowed) - } - - if ($httpTraceMethod.Count -eq 1) { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.6" - Task = "Ensure 'HTTP Trace Method' is disabled" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.7 -function Test-IISBlockUnlistedFileExtensions { - <# - .Synopsis - Ensure Unlisted File Extensions are not allowed - .Description - The FileExtensions Request Filter allows administrators to define specific extensions their web server(s) will allow and disallow. The property allowUnlisted will cover all other file extensions not explicitly allowed or denied. Often times, extensions such as .config, .bat, .exe, to name a few, should never be served. The AllowExtensions and DenyExtensions options are the UrlScan equivalents. It is recommended that all extensions be unallowed at the most global level possible, with only those necessary being allowed. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { - $path = "system.webServer/security/requestFiltering" - - $section = $Configuration.GetSection($path) - - $allowUnlisted = $section ` - | Get-IISConfigElement -ChildElementName "fileExtensions" ` - | Get-IISConfigAttributeValue -AttributeName "allowUnlisted" - - - if ($allowUnlisted) { - $message = "Unlisted file extensions allowed" - $audit = [AuditStatus]::False - } - } - else { - $message = "Request Filering is not installed" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.7" - Task = "Ensure Unlisted File Extensions are not allowed" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.8 -function Test-IISHandlerDenyWrite { - <# - .Synopsis - Ensure Handler is not granted Write and Script/Execute - .Description - Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/``Script or Write permissions, but not both. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "system.webServer/handlers" - $section = $Configuration.GetSection($path) - $accessPolicy = ($section | Get-IISConfigAttributeValue -AttributeName "accessPolicy").Split(",") - - if ((($accessPolicy -contains "Script") -or ($accessPolicy -contains "Execute")) ` - -and ($accessPolicy -contains "Write")) { - $message = "Handler is granted write and script/execute" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.8" - Task = "Ensure Handler is not granted Write and Script/Execute" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 4.9 -function Test-IISIsapisNotAllowed { - <# - .Synopsis - Ensure 'notListedIsapisAllowed' is set to false - .Description - The notListedIsapisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the element of the section under . This element ensures that malicious users cannot copy unauthorized ISAPI binaries to the Web server and then run them. It is recommended that notListedIsapisAllowed be set to false. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - try { - $isapiCgiRestriction = Get-IISConfigSection ` - -SectionPath "system.webServer/security/isapiCgiRestriction" ` - | Get-IISConfigAttributeValue -AttributeName "notListedIsapisAllowed" - - # Verify that the notListedIsapisAllowed attribute in the element is set to false - if ($isapiCgiRestriction) { - $message = "IsapiCgiRestriction 'notListedIsapisAllowed' not set to false" - $audit = [AuditStatus]::False - } - } - catch { - $message = "Cannot get setting 'notListedIsapisAllowed' for IsapiCgiRestriction" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.9" - Task = "Ensure 'notListedIsapisAllowed' is set to false" - Message = $message - Audit = $audit - } | Write-Output -} - -# 4.10 -function Test-IISCgisNotAllowed { - <# - .Synopsis - Ensure 'notListedCgisAllowed' is set to false - .Description - The notListedCgisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the element of the section under . This element ensures that malicious users cannot copy unauthorized CGI binaries to the Web server and then run them. It is recommended that notListedCgisAllowed be set to false. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - try { - $isapiCgiRestriction = Get-IISConfigSection ` - -SectionPath "system.webServer/security/isapiCgiRestriction" ` - | Get-IISConfigAttributeValue -AttributeName "notListedCgisAllowed" - - # Verify that the notListedCgisAllowed attribute in the element is set to false - if ($isapiCgiRestriction) { - $message = "IsapiCgiRestriction 'notListedCgisAllowed' not set to false" - $audit = [AuditStatus]::False - } - } - catch { - $message = "Cannot get setting 'notListedCgisAllowed' for IsapiCgiRestriction" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.10" - Task = "Ensure 'notListedCgisAllowed' is set to false" - Message = $message - Audit = $audit - } | Write-Output -} - -# 4.11 -function Test-IISDynamicIPRestrictionEnabled { - <# - .Synopsis - Ensure 'Dynamic IP Address Restrictions' is enabled - .Description - IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - # Ensure the windows feature is installed - if ((Get-WindowsFeature Web-Ip-Security).InstallState -ne [InstallState]::Installed) { - $message = "`"IP and Domain Restrictions`" must be installed to enabled `"Dynamic IP Address Restrictions`"" - $audit = [AuditStatus]::False - } - else { - $dynamicIpSecurity = Get-IISConfigSection -Location $Site.Name ` - -SectionPath "system.webServer/security/dynamicIpSecurity" - - $denyByConcurrentRequests = $dynamicIpSecurity ` - | Get-IISConfigElement -ChildElementName "denyByConcurrentRequests" ` - | Get-IISConfigAttributeValue -AttributeName "enabled" - - $denyByRequestRate = $dynamicIpSecurity ` - | Get-IISConfigElement -ChildElementName "denyByRequestRate" ` - | Get-IISConfigAttributeValue -AttributeName "enabled" - - if ($denyByConcurrentRequests -and -not $denyByRequestRate) { - $message = "Deny IP Address based on the number of requests over a period of time disabled" - $audit = [AuditStatus]::False - } - elseif (-not $denyByConcurrentRequests -and $denyByRequestRate) { - $message = "Deny IP Address based on the number of concurrent requests disabled" - $audit = [AuditStatus]::False - } - elseif (-not $denyByConcurrentRequests -and -not $denyByRequestRate) { - $message = "Dynamic IP Restriction disabled" - $audit = [AuditStatus]::False - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "4.11" - Task = "Ensure 'Dynamic IP Address Restrictions' is enabled" - Message = $message - Audit = $audit - } | Write-Output - } -} - -#endregion - -#region 5 IIS Logging Recommendations -# -# This section contains recommendations regarding IIS logging that have not been covered in the Basic Configurations section. - -# 5.1 -function Test-IISLogFileLocation { - <# - .Synopsis - Ensure Default IIS web log location is moved - .Description - IIS will log relatively detailed information on every request. These logs are usually the first item looked at in a security response, and can be the most valuable. Malicious users are aware of this, and will often try to remove evidence of their activities. It is therefore recommended that the default location for IIS log files be changed to a restricted, non-system drive. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $logFileLocation = ($Site.logFile.Directory).replace("%SystemDrive%", $env:SystemDrive) - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if ($logFileLocation.StartsWith($env:SystemDrive)) { - $message = "Logfile location is on system drive: $logFileLocation" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "5.1" - Task = "Ensure Default IIS web log location is moved" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 5.2 -function Test-IISAdvancedLoggingEnabled { - <# - .Synopsis - Ensure Advanced IIS logging is enabled - .Description - 5.2 - Ensure Advanced IIS logging is enabled. - - IIS will log relatively detailed information on every request. These logs are usually the first item looked at in a security response, and can be the most valuable. - Malicious users are aware of this, and will often try to remove evidence of their activities. It is therefore recommended that the default location for IIS log files be changed to a restricted, non-system drive. - .PARAMETER site - IIS site to check for enabled Advanced Logging - #> - [CmdletBinding()] - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - $Site - ) - - # Advanced Logging is not installed per default. Check, if module is installed. - # No try/catch because functions simply delivers a $null value if module is not present - - begin { - # Check if Advanced Logging module is installed - $advLogModule = Get-WebGlobalModule -Name AdvancedLoggingModule - - # Check if Advanced Logging module is enabled for server - # no try/catch because we will check it in process part - $serverState = Get-WebConfiguration -filter "system.webServer/advancedLogging/server" -ErrorAction SilentlyContinue ` - | Select-Object -ExpandProperty enabled - - $task = "Ensure Advanced IIS logging is enabled" - } - - process { - $task = "Ensure Advanced IIS logging is enabled" - $message = "An error occured" - $audit = [AuditStatus]::False - - if ( $null -eq $advLogModule ) { - $message = "Advanced Logging Module not installed" - $audit = [AuditStatus]::False - } - elseif ( $null -eq $serverState ) { - $message = "Advanced Logging settings not found for server." - $audit = [AuditStatus]::False - - Write-LogFile -Path $LogPath ` - -Name $LogName ` - -Message "Advanced Logging settings for server not found, check applicationhost.config file (XPath system.webServer/advancedLogging/server) `n $_.Exception" ` - -Level Error - } - # do further checking - else { - $task = "Ensure Advanced IIS logging is enabled for site $($site.name)" - - $siteState = Get-WebConfigurationProperty ` - -Filter "system.webServer/advancedLogging/server" ` - -PSPath "IIS:\Sites\$($site.name)" ` - -Name enabled ` - | Select-Object -ExpandProperty Value - - if ( $siteState -and (-not $site.advancedLogging.directory.StartsWith("%SystemDrive%")) ) { - $message = "Advanced Logging enabled" - $audit = [AuditStatus]::True - } - elseif ( $siteState -and ($site.advancedLogging.directory.StartsWith("%SystemDrive%")) ) { - $message = "Advanced Logging enabled, but logging on system drive" - $audit = [AuditStatus]::Warning - } - else { - $message = "Advanced Logging disabled" - $audit = [AuditStatus]::False - } - }#end else - - New-Object -TypeName AuditInfo -Property @{ - Id = "5.2" - Task = $task - Message = $message - Audit = $audit - } | Write-Output - - }#end process -} - -# 5.3 -function Test-IISETWLoggingEnabled { - <# - .Synopsis - Ensure 'ETW Logging' is enabled - .Description - IIS introduces a new logging method. Administrators can now send logging information to Event Tracing for Windows (ETW) - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if (-not ($Site.logFile.logTargetW3C -like "*ETW*")) { - $message = "ETW Logging disabled" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "5.3" - Task = "Ensure 'ETW Logging' is enabled" - Message = $message - Audit = $audit - } | Write-Output - } -} - -#endregion - -#region 6 FTP Requests -# -# This section contains a crucial configuration setting for running file transfer protocol (FTP). - -# 6.0 -function Test-IISFtpIsDisabled { - <# - .Synopsis - Ensure FTP is disabled - .Description - - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - [array]$ftpBindings = $Site.Bindings | Where-Object -Property Protocol -eq FTP - - if ($ftpBindings.Count -gt 0 -or (Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { - $message = "FTP is not disabled. FTP is using bindings and/or is at least installed." - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "6.0" - Task = "Ensure FTP is disabled" - Message = $message - Audit = $audit - } | Write-Output - } -} - -# 6.1 -function Test-IISFtpRequestsEncrypted { - <# - .Synopsis - Ensure FTP requests are encrypted - .Description - The new FTP Publishing Service for IIS supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if ((Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { - try { - $sslConfigElement = Get-IISConfigSection ` - -SectionPath "system.applicationHost/sites" ` - | Get-IISConfigElement -ChildElementName "siteDefaults" ` - | Get-IISConfigElement -ChildElementName "ftpServer" ` - | Get-IISConfigElement -ChildElementName "security" ` - | Get-IISConfigElement -ChildElementName "ssl" - - $controlChannelPolicy = $sslConfigElement ` - | Get-IISConfigAttributeValue -AttributeName "controlChannelPolicy" - - $dataChannelPolicy = $sslConfigElement ` - | Get-IISConfigAttributeValue -AttributeName "dataChannelPolicy" - - if (($controlChannelPolicy -ne "SslRequire") -or ($dataChannelPolicy -ne "SslRequire")) { - $message = "Found following settings: `n controlChannelPolicy: $controlChannelPolicy `n dataChannelPolicy: $dataChannelPolicy" - $audit = [AuditStatus]::False - } - } - catch { - $message = "Cannot get FTP security setting" - $audit = [AuditStatus]::False - } - } - else { - $message = "Skipped this benchmark - right now Web-Ftp-Server is not installed" - $audit = [AuditStatus]::None - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "6.1" - Task = "Ensure FTP requests are encrypted" - Message = $message - Audit = $audit - } | Write-Output -} - -# 6.2 -function Test-IISFtpLogonAttemptRestriction { - <# - .Synopsis - Ensure FTP Logon attempt restrictions is enabled - .Description - IIS introduced a built-in network security feature to automatically block brute force FTP attacks. This can be used to mitigate a malicious client from attempting a brute-force attack on a discovered account, such as the local administrator account. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - if ((Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { - try { - $denyByFailure = Get-IISConfigSection ` - -SectionPath "system.ftpServer/security/authentication" ` - | Get-IISConfigElement -ChildElementName "denyByFailure" - - $enabled = $denyByFailure ` - | Get-IISConfigAttributeValue -AttributeName "enabled" - $maxFailure = $denyByFailure ` - | Get-IISConfigAttributeValue -AttributeName "maxFailure" - $entryExpiration = $denyByFailure ` - | Get-IISConfigAttributeValue -AttributeName "entryExpiration" - $loggingOnlyMode = $denyByFailure ` - | Get-IISConfigAttributeValue -AttributeName "loggingOnlyMode" - - if (($enabled) -and ($maxFailure -gt 0) -and ($entryExpiration -gt 0) -and (-not $loggingOnlyMode)) { - # All good - } - elseif (-not $enabled ) { - $message = "Feature disabled" - $audit = [AuditStatus]::False - } - else { - $message = "Feature enabled, but check settings. Found: `n maxFailure: " ` - + $maxFailure + "`n entryExpiration: " ` - + $entryExpiration + "`n Only logging mode: " ` - + $loggingOnlyMode - $audit = [AuditStatus]::False - } - } - catch { - $audit = [AuditStatus]::False - $message = "Cannot get FTP Logon attempt settings" - } - } - else { - $message = "Skipped this benchmark - right now Web-Ftp-Server is not installed" - $audit = [AuditStatus]::None - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "6.2" - Task = "Ensure FTP Logon attempt restrictions is enabled" - Message = $message - Audit = $audit - } | Write-Output -} - -#endregion - -#region 7 Transport Encryption -# -# This section contains recommendations for configuring IIS protocols and cipher suites. - -# 7.1 -function Test-IISHSTSHeaderSet { - <# - .Synopsis - Ensure HSTS Header is set - .Description - HTTP Strict Transport Security (HSTS) allows a site to inform the user agent to communicate with the site only over HTTPS. This header takes two parameters: max-age, "specifies the number of seconds, after the reception of the STS header field, during which the user agent regards the host (from whom the message was received) as a Known HSTS Host [speaks only HTTPS]"; and includeSubDomains. includeSubDomains is an optional directive that defines how this policy is applied to subdomains. If includeSubDomains is included in the header, it provides the following definition: this HSTS Policy also applies to any hosts whose domain names are subdomains of the Known HSTS Host's domain name. - #> - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Configuration] $Configuration - ) - - process { - $message = "HSTS Header not set" - $audit = [AuditStatus]::False - - $path = "system.webServer/httpProtocol" - $section = $Configuration.GetSection($path) - - [array]$customHeaders = $section.GetCollection("customHeaders") ` - | Where-Object { - $name = $_ | Get-IISConfigAttributeValue -AttributeName "name" - $name -eq "Strict-Transport-Security" - } - - if ($customHeaders.Count -eq 1) { - $value = $customHeaders[0] | Get-IISConfigAttributeValue -AttributeName "value" - $pattern = [regex]::new("max-age=(?[0-9]*)") - $match = $pattern.Match($value) - - if ($match.Success) { - [int]$maxAge = $match.Groups["maxage"].Value - if ($maxAge -eq 0) { - $message = "Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at $maxAge" - $audit = [AuditStatus]::False - } - elseif ($maxAge -lt 480) { - $message = "It is recommended to set max-age to at least 480 seconds. Max-age is set at $maxAge" - $audit = [AuditStatus]::Warning - } - else { - $message = $MESSAGE_ALLGOOD + ". Max-age is set at $maxAge" - $audit = [AuditStatus]::True - } - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.1" - Task = "Ensure HSTS Header is set" - Message = $message - Audit = $audit - } | Write-Output - } - -} - -# 7.2 -function Test-IISSSL2Disabled { - <# - .Synopsis - Ensure SSLv2 is disabled - .Description - This protocol is not considered cryptographically secure. Disabling it is recommended. This protocol is disabled by default if the registry key is not present. A reboot is required for these changes to be reflected. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0" - - # SSL is disabled by default - # if $path exists, $path/server should also exist - if ((Test-Path $path) -and (Test-Path "$path\Server")) { - # Ensure the following key exists - $Key = Get-Item "$path\Server" - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" - # Ensure it is set to 0 - if ($value -ne 0) { - $message = "SSL 2.0 is enabled" - $audit = [AuditStatus]::False - } - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.2" - Task = "Ensure SSLv2 is disabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.3 -function Test-IISSSL3Disabled { - <# - .Synopsis - Ensure SSLv3 is disabled - .Description - This protocol is not considered cryptographically secure. Disabling it is recommended. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0" - - # SSL is disabled by default - # if $path exists, $path/server should also exist - if ((Test-Path $path) -and (Test-Path "$path\Server")) { - # Ensure the following key exists - $Key = Get-Item "$path\Server" - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" - # Ensure it is set to 0 - if ($value -ne 0) { - $message = "SSL 3.0 is enabled" - $audit = [AuditStatus]::False - } - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.3" - Task = "Ensure SSLv3 is disabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.4 -function Test-IISTLSDisabled { - <# - .Synopsis - Ensure TLS 1.0 is disabled - .Description - The PCI Data Security Standard 3.1 recommends disabling "early TLS" along with SSL: - - SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. - #> - - $message = "TLS 1.0 not disabled" - $audit = [AuditStatus]::False - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" - - # TLS 1.0 is enabled by default - if (Test-Path $path) { - # Ensure the following key exists - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" - # Ensure it is set to 0 - if ($value -eq 0) { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - elseif ($null -ne $Key.GetValue("DisabledByDefault", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "DisabledByDefault" - # Ensure it is set to 1 - if ($value -eq 1) { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.4" - Task = "Ensure TLS 1.0 is disabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.5 -function Test-IISTLS1_1Enabled { - <# - .Synopsis - Ensure TLS 1.1 is enabled - .Description - Enabling TLS 1.1 is required for backward compatibility. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" - - # TLS is enabled by default - if (Test-Path $path) { - # Ensure the following key exists - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" - # Ensure it is enabled - if ($value -eq 0) { - $message = "TLS 1.1 disabled" - $audit = [AuditStatus]::False - } - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.5" - Task = "Ensure TLS 1.1 is enabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.6 -function Test-IISTLS1_2Enabled { - <# - .Synopsis - Ensure TLS 1.2 is enabled - .Description - TLS 1.2 is the most recent and mature protocol for protecting the confidentiality and integrity of HTTP traffic. Enabling TLS 1.2 is recommended. This protocol is enabled by default if the registry key is not present. As with any registry changes, a reboot is required for changes to take effect. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" - - # if $path exists, $path/server should also exist - # TLS 1.2 is enabled by default - if ((Test-Path $path) -and (Test-Path "$path\Server")) { - # Ensure the following key exists - $Key = Get-Item "$path\Server" - if ($null -ne $Key.GetValue("Enabled", $null)) { - # Get-ItemProperty returns a [UInt32] - $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" - # Ensure it is set to 0xFFFFFFFF(4294967295) - # [Int32] -1 is the same as [UInt32] 4294967295 is the same as 0xFFFFFFFF - # PowerShell always uses signed ints for numbers; the smallest type that still fits the number - if ($value -ne 4294967295) { - $message = "TLS 1.2 is disabled" - $audit = [AuditStatus]::False - } - } - else { - $message = "TLS 1.2 is disabled" - $audit = [AuditStatus]::False - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.6" - Task = "Ensure TLS 1.2 is enabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.7 -function Test-IISNullCipherDisabled { - <# - .Synopsis - Ensure NULL Cipher Suites is disabled - .Description - The NULL cipher does not provide data confidentiality or integrity. It is recommended that the NULL cipher be disabled. - #> - - $message = "NULL cipher is enabled" - $audit = [AuditStatus]::False - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\" - - if (Test-Path $path) { - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" - if ($value -eq 0) { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - } - else { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.7" - Task = "Ensure NULL Cipher Suites is disabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.8 -function Test-IISDESCipherDisabled { - <# - .Synopsis - Ensure DES Cipher Suites is disabled - .Description - DES is a weak symmetric-key cipher. It is recommended that it be disabled. - #> - - $message = "DES cipher is enabled" - $audit = [AuditStatus]::False - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56\" - - if (Test-Path $path) { - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" - if ($value -eq 0) { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - } - else { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.8" - Task = "Ensure DES Cipher Suites is disabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.9 -function Test-IISRC4CipherDisabled { - <# - .Synopsis - Ensure RC4 Cipher Suites is disabled - .Description - RC4 is a stream cipher that has known practical attacks. It is recommended that RC4 be disabled. The only RC4 cipher enabled by default on Server 2012 and 2012 R2 is RC4 128/128. - #> - - $rc4Ciphers = @("RC4 40/128", "RC4 56/128", "RC4 64/128", "RC4 128/128") - - $index = 1 - foreach ($rc4Cipher in $rc4Ciphers) { - $message = "$rc4Cipher cipher is enabled" - $audit = [AuditStatus]::False - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$rc4Cipher\" - - if (Test-Path $path) { - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" - if ($value -eq 0) { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - } - else { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.9.$index" - Task = "Ensure RC4 Cipher Suites is disabled" - Message = $message - Audit = $audit - } | Write-Output - - $index++ - } -} - -# 7.10 -function Test-IISTripleDESEnabled { - <# - .Synopsis - Ensure Triple DES Cipher Suite is Disabled - .Description - Triple DES Cipher Suites is now considered a weak cipher and is not recommended for use. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - try { - $enabled = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168\" ` - -ErrorAction Stop ` - | Select-Object ` - -ExpandProperty Enabled - - if ($enabled -ne 0) { - # If the key is $null, Triple DES Cipher is enabled - $message = "Triple DES Cipher is enabled" - $audit = [AuditStatus]::False - } - } - catch { - # TODO: check if this is still true - # If the key/value is not present,Triple DES Cipher is enabled - $message = "Triple DES Cipher is enabled" - $audit = [AuditStatus]::False - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.10" - Task = "Ensure Triple DES Cipher Suite is Disabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.11 -function Test-IISAES128Enabled { - <# - .Synopsis - Ensure AES 128/128 Cipher Suite is configured - .Description - Enabling AES 128/128 may be required for client compatibility. Enable or disable this cipher suite accordingly. - #> - - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - - try { - # Get-ItemProperty returns a [UInt32] - $enabled = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128\" ` - -ErrorAction Stop ` - | Select-Object ` - -ExpandProperty Enabled - - # [Int32] -1 is the same as [UInt32] 4294967295 is the same as 0xFFFFFFFF - # PowerShell always uses signed ints for numbers; the smallest type that still fits the number - if ($null -eq $enabled) { - # If the key is $null, AES 128/128 Cipher is disabled - $message = "AES 128/128 Cipher is disabled" - $audit = [AuditStatus]::False - } - elseif (($enabled -ne 4294967295)) { - # If the key is not set to 0xFFFFFFFF(4294967295), AES 128/128 Cipher is disabled - $message = "AES 128/128 Cipher is disabled" - $audit = [AuditStatus]::False - } - } - catch { - # If the key/value is not present,Triple AES 128/128 Cipher is disabled - $message = "AES 128/128 Cipher is disbaled" - $audit = [AuditStatus]::False - } - - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.11" - Task = "Ensure AES 128/128 Cipher Suite is configured" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.12 -function Test-IISAES256Enabled { - <# - .Synopsis - Ensure AES 256/256 Cipher Suite is enabled - .Description - AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. This is enabled by default on Server 2012 and 2012 R2. - #> - - $message = "AES 256/256 Cipher is disabled" - $audit = [AuditStatus]::False - - $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256\" - - if (Test-Path $path) { - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Enabled", $null)) { - $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" - # [Int32] -1 is the same as [UInt32] 4294967295 is the same as 0xFFFFFFFF - # PowerShell always uses signed ints for numbers; the smallest type that still fits the number - if ($value -eq 4294967295) { - # If the key is set to 0xFFFFFFFF, AES 256/256 Cipher is enabled - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - } - } - else { - $message = $MESSAGE_ALLGOOD - $audit = [AuditStatus]::True - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.12" - Task = "Ensure AES 256/256 Cipher Suite is enabled" - Message = $message - Audit = $audit - } | Write-Output -} - -# 7.13 -function Test-IISTLSCipherOrder { - <# - .Synopsis - Ensure TLS Cipher Suite ordering is configured - .Description - Cipher suites are a named combination of authentication, encryption, message authentication code, and key exchange algorithms used for the security settings of a network connection using TLS protocol. Clients send a cipher list and a list of ciphers that it supports in order of preference to a server. The server then replies with the cipher suite that it selects from the client cipher suite list. - #> - - [String[]]$cipherList = @( - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" - ) - - $message1 = "TLS Cipher Suite ordering does not match reference" - $audit1 = [AuditStatus]::False - - $message2 = "TLS Cipher Suite contains more ciphers" - $audit2 = [AuditStatus]::False - - $path = "HKLM:\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\" - - if (Test-Path $path) { - $Key = Get-Item $path - if ($null -ne $Key.GetValue("Functions", $null)) { - $functions = (Get-ItemProperty $path).Functions - - if ($cipherList.Count -ge $functions.Count) { - $message2 = $MESSAGE_ALLGOOD - $audit2 = [AuditStatus]::True - - $equalOrdering = [System.Linq.Enumerable]::Zip($cipherList, $functions, ` - [Func[String, String, Boolean]] { - param($cipher, $function) - $cipher -eq $function - }) - - if (-not ($equalOrdering -contains $false)) { - $message1 = $MESSAGE_ALLGOOD - $audit1 = [AuditStatus]::True - } - } - } - } - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.13.1" - Task = "Ensure TLS Cipher Suite ordering is correctly configured" - Message = $message1 - Audit = $audit1 - } | Write-Output - - - New-Object -TypeName AuditInfo -Property @{ - Id = "7.13.2" - Task = "Ensure TLS Cipher Suite does not contain more ciphers" - Message = $message2 - Audit = $audit2 - } | Write-Output -} - -#endregion - -#region Report Generation - -function Get-IIS8SystemReport { - # Section 1 - Test-IISUniqueSiteAppPool - - # Section 2 - Test-IISPasswordFormatNotClearMachineLevel - Test-IISCredentialsNotStoredMachineLevel - - # Section 3 - Test-IISDeploymentMethodRetail - Test-IISAspNetTracingDisabledMachineLevel - - # Section 4 - Test-IISIsapisNotAllowed - Test-IISCgisNotAllowed - - # Section 5 - #Test-IISAdvancedLoggingEnabled - - # Section 6 - Test-IISFtpRequestsEncrypted - Test-IISFtpLogonAttemptRestriction - - # Section 7 - Test-IISSSL2Disabled - Test-IISSSL3Disabled - Test-IISTLSDisabled - Test-IISTLS1_1Enabled - Test-IISTLS1_2Enabled - Test-IISNullCipherDisabled - Test-IISDESCipherDisabled - Test-IISRC4CipherDisabled - Test-IISTripleDESEnabled - Test-IISAES128Enabled - Test-IISAES256Enabled - Test-IISTLSCipherOrder -} - -function Get-IIS8SiteReport { - - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Site] $Site - ) - - process { - $AppPools = $Site.Applications.ApplicationPoolName | Sort-Object | Get-Unique | Get-IISAppPool - - $AuditInfos = @() - - # Section 1 - $AuditInfos += $Site | Test-IISVirtualDirPartition - $AuditInfos += $Site | Test-IISHostHeaders - $AuditInfos += $AppPools | Test-IISAppPoolIdentity - - # Section 2 - $AuditInfos += $Site | Test-IISTLSForBasicAuth - - # Section 3 - $AuditInfos += $Site | Test-IISMachineKeyValidation - $AuditInfos += $Site | Test-IISMachineKeyValidationV45 - $AuditInfos += $Site | Test-IISDotNetTrustLevel - - # Section 4 - $AuditInfos += $Site | Test-IISDynamicIPRestrictionEnabled - - # Section 5 - $AuditInfos += $Site | Test-IISLogFileLocation - $AuditInfos += (Get-Website $Site.Name) | Test-IISAdvancedLoggingEnabled - $AuditInfos += $Site | Test-IISETWLoggingEnabled - - # Section 6 - $AuditInfos += $Site | Test-IISFtpIsDisabled - - # Section 7 - - $VirtualPaths = $Site | Get-IISSiteVirtualPaths -AllVirtualDirectories - $VirtualPathAudits = foreach ($VirtualPath in $VirtualPaths) { - $Configuration = (Get-IISServerManager).GetWebConfiguration($Site.Name, $VirtualPath) - $VirtualPathAuditInfos = @() - - # Section 1 - $VirtualPathAuditInfos += $Configuration | Test-IISDirectoryBrowsing - $VirtualPathAuditInfos += $Configuration | Test-IISAnonymouseUserIdentity - - # Section 2 - $VirtualPathAuditInfos += $Configuration | Test-IISGlobalAuthorization - $VirtualPathAuditInfos += $Configuration | Test-IISAuthenticatedPricipals - $VirtualPathAuditInfos += $Configuration | Test-IISFormsAuthenticationSSL - $VirtualPathAuditInfos += $Configuration | Test-IISFormsAuthenticationCookies - $VirtualPathAuditInfos += $Configuration | Test-IISFormsAuthenticationProtection - $VirtualPathAuditInfos += $Configuration | Test-IISPasswordFormatNotClear - $VirtualPathAuditInfos += $Configuration | Test-IISCredentialsNotStored - - # Section 3 - $VirtualPathAuditInfos += $Configuration | Test-IISDebugOff - $VirtualPathAuditInfos += $Configuration | Test-IISCustomErrorsNotOff - $VirtualPathAuditInfos += $Configuration | Test-IISHttpErrorsHidden - $VirtualPathAuditInfos += $Configuration | Test-IISAspNetTracingDisabled - $VirtualPathAuditInfos += $Configuration | Test-IISCookielessSessionState - $VirtualPathAuditInfos += $Configuration | Test-IISCookiesHttpOnly - - # Section 4 - $VirtualPathAuditInfos += $Configuration | Test-IISMaxAllowedContentLength - $VirtualPathAuditInfos += $Configuration | Test-IISMaxURLRequestFilter - $VirtualPathAuditInfos += $Configuration | Test-IISMaxQueryStringRequestFilter - $VirtualPathAuditInfos += $Configuration | Test-IISNonASCIICharURLForbidden - $VirtualPathAuditInfos += $Configuration | Test-IISRejectDoubleEncodedRequests - $VirtualPathAuditInfos += $Configuration | Test-IISHTTPTraceMethodeDisabled - $VirtualPathAuditInfos += $Configuration | Test-IISBlockUnlistedFileExtensions - $VirtualPathAuditInfos += $Configuration | Test-IISHandlerDenyWrite - - # Section 5 - - # Section 6 - - # Section 7 - $VirtualPathAuditInfos += $Configuration | Test-IISHSTSHeaderSet - - New-Object -TypeName VirtualPathAudit -Property @{ - VirtualPath = $VirtualPath - AuditInfos = $VirtualPathAuditInfos - } - } - - New-Object -TypeName SiteAudit -Property @{ - SiteName = $Site.Name - AuditInfos = $AuditInfos - - VirtualPathAudits = $VirtualPathAudits - } - } -} - -function Get-IISHostInformation { - $infos = Get-CimInstance Win32_OperatingSystem - $disk = Get-CimInstance Win32_LogicalDisk | Where-Object -Property DeviceID -eq "C:" - - $IISinstallPath = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\InetStp").Installpath - - return [ordered]@{ - "Hostname" = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName - "Operating System" = $infos.Caption - "Build Number" = $infos.BuildNumber - "IIS Version" = (Get-ItemProperty -Path ("$IISinstallPath\w3wp.exe")).VersionInfo.ProductVersion - "Free physical memory (GB)" = "{0:N3}" -f ($infos.FreePhysicalMemory / 1MB) - "Free disk space (GB)" = "{0:N1}" -f ($disk.FreeSpace / 1GB) - } -} - -function Get-IIS8HtmlReport { - <# - .Synopsis - Generates an audit report in an html file. - .Description - The `Get-IIS8HtmlReport` cmdlet collects by default data from the current machine to generate an audit report. - - It is also possible to pass your own data to the cmdlet from which it generates the report. To do this, use the parameter `SystemAuditInfos` and `SiteAudits`. - .Parameter Path - Specifies the relative path to the file in which the report will be stored. - .Example - C:\PS> Get-IIS8HtmlReport -Path "MyReport.html" - #> - - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string] $Path, - - [AuditInfo[]] $SystemAuditInfos = (Get-IIS8SystemReport), - - [SiteAudit[]] $SiteAudits = (Get-IISSite | Get-IIS8SiteReport), - - [switch] $DarkMode - ) - - [hashtable[]]$reportSections = @() - - $reportSections += @{ - Title = "System Report" - AuditInfos = $SystemAuditInfos - } - - foreach ($SiteAudit in $SiteAudits) { - [hashtable[]]$virtualPathReports = foreach ($VirtualPathAudit in $SiteAudit.VirtualPathAudits) { - @{ - Title = "Report for: $($VirtualPathAudit.VirtualPath)" - AuditInfos = $VirtualPathAudit.AuditInfos - } - } - - $reportSections += @{ - Title = "Full site report for: $($SiteAudit.SiteName)" - AuditInfos = $SiteAudit.AuditInfos - SubSections = $virtualPathReports - } - } - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "IIS 8 Benchmarks" ` - -ModuleName "IIS8Audit" ` - -BasedOn "CIS Microsoft IIS 8 Benchmark v1.5.0 - 12-30-2016", "CIS Microsoft IIS 10 Benchmark v1.0.0 - 03-31-2017" ` - -HostInformation (Get-IISHostInformation) ` - -Sections $reportSections ` - -DarkMode:$DarkMode -} -#endregion \ No newline at end of file diff --git a/IIS8Audit/LogFileModule.psm1 b/IIS8Audit/LogFileModule.psm1 deleted file mode 100644 index bf0d7358..00000000 --- a/IIS8Audit/LogFileModule.psm1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -#region Author(s) -# -# Author(s): Dennis Esly -# Date: 05/01/2017 -# Last change: 05/02/2017 -# Version: 1.0 -# -#endregion - -function Set-LogFile -{ - [CmdletBinding(SupportsShouldProcess)] - Param( - [Parameter(Mandatory=$true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory=$true)] - [Alias('Logname')] - [string]$Name - ) - - - $FullPath = get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)){ - # WhatIf parameter - if ($PSCmdlet.ShouldProcess("$FullPath", "Overwrite")) { - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } - } -} - - -function Write-LogFile -{ - [CmdletBinding()] - Param( - [Parameter(Mandatory=$true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory=$true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory=$true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error","Warning","Info")] - [string]$Level = "Info" - ) - - - set-LogFile $Path $Name - $FullPath = get-FullPath $Path $Name - - - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch($Level) - { - 'Error' { - Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - - -function Get-FullPath -{ - [CmdletBinding()] - Param( - [Parameter(Mandatory=$true)] - [string]$Path, - [Parameter(Mandatory=$true)] - [string]$File - ) - - if ($Path.Length -gt 0) - { - if ($Path[$Path.Length-1] -ne "\") - { - $FullPath = $Path + "\" + $File - } - else - { - $FullPath = $Path + $File - } - } - - return $FullPath -} diff --git a/IIS8Audit/README.md b/IIS8Audit/README.md deleted file mode 100644 index 50d39b9a..00000000 --- a/IIS8Audit/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# CIS IIS 8 Audit Script -_based on CIS Microsoft IIS 8 Benchmarks v1.5.0 12-30-2016_ - -## Overview - -The `IIS8Audit`-Module benchmarks the current systems settings with current hardening standards such as the CIS Microsoft IIS Benchmarks. This module is specifically designed for Windows Server 2012 with IIS 8. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **PowerShell 5.1:** To find out the current version use `$PSVersionTable.PSVersion`. -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. -* **IISAdministration Module:** The audit module uses Cmdlets from the IISAdministration module which is *not* included in a IIS 8 installation. Please download the module first and put it into the Windows PowerShell folder. - -If you have a internet connection on your machine you can simply open an elevated PowerShell and type (to install the module) - -```Powershell -Install-Module -Name IISAdministration,ATAPHtmlReport -``` - -## Installation - -The easiest way to get the module is by installing it with `Install-Module -Name IIS8Audit`. This also installs all the dependencies of this module. - -### Loading the IIS Audit module - -You only need to import the module when you haven't installed it. When loading the module, make sure that the manifest is loaded as well. Do not include the file extension of the module. - -```Powershell -Import-Module -Name .\IIS8Audit -Verbose -``` - -This is important because the manifest tells Powershell about the assemblies and modules that the module requires. - -## Troubleshooting - -If you get an error like: -``` -Get-IISSite : Method not found: 'System.String System.String.Format(System.IFormatProvider, System.String, -System.Object)'. -``` - -Try the following in the given order: -1. install the latest Windows Updates -2. install a newer .NET Framework - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. diff --git a/IIS8Audit/Sample/report.dark.html b/IIS8Audit/Sample/report.dark.html deleted file mode 100644 index 63c4a55ed29bc4360d72a15423910d4acab66610..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 136844 zcmeF)=W<<1nx$#{t-Ih<+gNrtIszaFL1t%{8D&rlkOajDGit4%DB9-MXXbsj^CUnL z%wS|?WkprB!EnUhzFqq#*0Fut_>rJI?cipR0?@RTt&rkdIud z*OS%eRVnUG`QD#$JGhow@;~~2Sf4%mT#~wMPtW|*+`0a)SIeXQpD4xasn=eW^XA-( z>UwDI|EPvX=N9Ic=8jCSi`81{!(I8~-16M9URV13e>F}EQ+;N6|EcG<=RSTe>3(&7 z*tbJ-|Fi#pn0x%WM}O**zJFG_kL7i!*7<(F8t5~9_)9f27Ek_s#hAMPc<#SXxs4jT z|9Z+}@$+?k^sqnIpG|`sTUA^~(4k&;37B{$}K8`Pbz>>q2vQhE75@;OJn^KDNaY23f<$x-{SOMhDXW_37ttj2RMYwe**o~1Q% zTa{wnkJ(|iznMm1udTDE{#cve)NB9z7LVGHBV%>V>SGpf)+a{uw^2&(mo=Z10;5-;T>{R1SZh>7xeb(1&KyPnDp* zo_t;@B+=upk5r@YNQfb&zD~Ve``_-HWeaovbsDdoYGj`N)a&c=d(+kZz4u>}4g0VB zTrCcI=6{yzANEO5D^WWZ=l=K4HQYY}PR>58gn^S4OEq6JSSN`_r{=VEdYxS^1^zhG< zOc?g;qrU&o{{NwM|07a|&2X&0FWWG*EPW~0Z~N@)`(L;C>-*o<`DwC_4ElZvU*7+= zgfH(ORKk&8DdEfe-(Mcxnjq+Z<>}fY^i=FP7 zS?RxK)f{AP9jw)Vw0`?7koV2%nRL<$d650u@ej#m^K{RW))HE1ua)QnJ`+9wW%Q;mv9L>*>=>1ApE2 z#ZnypY~_xc{n+aK)+YGdkJHy)#LQEfc`HMzeK}Tty?wl#r18J<*`E5=TbfCvrP7VL z!XMo40s21kNqF`8gh%MJ6|q}yKWLT=InT$QrDh2aPybo-^GWI0u)_~Oli&JNm;sNB zr^s_WTWV5jv;5@qa2oY{jkxFUmBXXz^1K=MsL%hsCx#uiTHXI!caC*$q0iUyw(rcX z&)u#jZ|Clo_IQ8S^TJ=`nfpAh_;k?U)pFVD&WTWm)79eE+~w-@Xv+7*^n?=pohV1| zr#_c^x!$-}JJwql54y^$xtQ!-nfuiHtMYqMt(WG`*AKo+f4`a?tJZg_@A1B0>icrG z^u_*H5p+aySg- zM)kei=hM9!uU~pSSG!(M^|@I&Z$oo7x_)_XwfjreWu^W*S*nHV@ocKkquTYh67N@! z6OE?&tXIQxwVUO1zvs30O8GvS%Kx(6SE~28|EgM%V82wO-JX9|e#_Hy@_8`z<7VYv zuYM;g=a+JO*8BCo-KjMj)#piVTH6_f>kuOpS~eYdh-^{;+6dU~b)y51~N|7X2_oZb)r zxqSV2q+VvD|I++hu77S#{eP}B2h~?yH|o1PJ$Js59^>$KnzzffSNZGx8%G|({nBmJ z0^?*14{GNa&(n?0<%SXMfgV)u4r*dy~eYf{ljg#-jce{F92Tv>iWa&Rl z<7~a$Fa2Wgv-#uuhn{;-8{YQ+uv%Jg-|y$Yc6}bHH8)#7)`9hWcq-??RNuo>KUrrt zYsW_aqrb_pUrM?4xxK5OzrX*R_sd>?sGr$;qyD%$)$8SFxv^4z-ftC*{x*)*v-z>u zXx{uRKVDDkTEDL}?_)+591=%$Fwmrc?^c8Lsji1B3#xpk5}r4! zKTYj9G4<4o%37Y%J*^H``oC07)=T%j`dMGr898{ru{Q1p_a6(ET-JZz)^Fo)T0e67 z)HL23)yw)PC&~9?)4DlT4W3nx{p;;Xz4S||cR#29RDGp?UtiK2H~Oas-jvT$t=y?k z-RGNqY^0tw!)AKIJb&L4H!Ekgz9CmWmf!83u^vzN|FQmp=#ne??|Rp6)&KO*kW)i$ z4LPvU3NwD{J=PIDDc(TOYpDToe?S5WA-73|~X+5uhr+(}I;`Q78bH9_5GrjV5>f_tBjn2|f z@27EnIgS7GX8DtzJ2}k@?a}WueKi|L`910StiQ=u@}34B&!6h~-B4Wdr=LCZRPcBDVMr(vUd1>x)jG7k-y*jw>o~m z&SxteuYTXYA5_mLpX)ud8LrhI@;~VL@8$b1aebj)*1IRF-?`p@sfSNArpIfSYph)( zpx;kT@5bdrS5GxF#<+Mr-W=H9?s4twS1HJt6SezEGxcPzmwG+f_u06ri*(BW`uQ)v zyYG2VvXS+u6+N@if0^#PE9JGyb$_{;s_sWW=YG1Y#^GAmPjubPJK3kxNkadZs^_Jo z$F*km$>u06!d};kbFJ;u$%t#Mu8ULZ_2#^_u-fZ~a%F*hoMhIep1s^Ry5Vhi*#<{@ zKVNO`me=#jdeWT>tra@*N>}K`r`7n`WbvHq+T))1SibIknp#0eZTC$b_&twWv%mCd ztQzyqywNYGD&<;b`p$Mf+xy<1elX6XKd<-sL;u=uPHfcHv*mGX%KJ@Mo_3$)K3(nZ zq!ZK|CdkI7L+SqW-Mvv=wEaTq&-CqT_gQlE!HayW^IhW`-RToQ?oD-4!`b+s>v^`k z_FS!mQ^_wrlChG`C|~OTPXB+;t0x+h*NxY;M#TvEyINb`p*MT70znUaLQNCYNigd3U0kU1(%Z^r|fK{c7n~`u?*2 zi}ll)$FUANQjYdv?Y zR-7rfPvy5zOHP&g;*=YU=v^bR*1hvz)$VL*o|fN6xt;8p`;`D6xZB@qrLWfeN@SvU2vfQ4R;%qfzr_J}|+giI)o>$6kx0bD!YOCvKtJV4G zf4&-C>K=x`l}2d3nPIF+r_;581tFFXM}Jh=e6s7!qmT8=!)gR`nXfn2s?C$GkdDih zVQg-eiskmST0X0^tJUXpsZRFkNOky7%9VO=Z^ZWZ$*I=IvDVRgPxI{V_P+Re9qAa$YUn&{p^BhZ8-)O5CWPS3mdSqspeut#Iv~uRW)__Mm6k#w*q4 zWo5CyX7lKD*Zw*4=u9nnUWt7EwMu_o>v&W&-)f(iYw?F_N#^k5Pc~Oa?T&PRxwOaX z4Rd|78Xi2?kJU5$@2ky`6ZN?DajDlg<@l;kXDfZ9JmyP7H$1M7$)2Me_ranI0XT5x`XU!(| z=Vooa(1;kD8&l65oz~>nZQqk2tR0x-(2nF7tnWlEWgWchkK8q{ZcT0d{#txoJw>)z zO`oda>)v^zvlf1Tz0GC_J7q|k`DVCP3;+54>^feL{59+8e05su|4zMnq@Egc>SD8J zt=g|v?~m1dw;o>Y?oOr9cFWa=1bWryF`HH=$#k|JSI?vM{#y6%eU?ymLXM-OQH0-ltd7EMW8Uf$UktPqLV-NS5l& za^9Wlz0YPlKzq~2n$+^!`0 za`=rOduFub_LT4AURgNivB>U|>F%@2zfrD6bZFC0eLgjf(`q&FESrfvuT89(H`SkR zUhB@Vme>{0crAO{^DMyOPt7++_&Ucc?Opfi`H#~WUMioZ%062wmb&+>@|SAc=}Lq3 z9x1oSeLh~!FUxO?AyjK`Zk(uxcAE>@0!@R@TaVhU#82h$uBWZUh1&GGc0i9mmB+=( z|9e`^``6m61rP~{i`d7hMi5STuU>uJm6iI|95Nq=B{}3TT%9Kcj~JdR{K-tb+59s) z{06;CkKCF1@WONt`f$COdv}JpR5N?G-n<(r_8>q%`6C-^)=Rk za+m4}3`us2S&GdIedj>PJv+-*Tn*$34w1U#=YT>P^??ySGxwZ+l*8r@P9!HxgqV z;s{@^e3+k^4^cW^O-PBwo;qJIto9Tg`L6cC%}2TCr~Ww7tG*$5-qw>B`ajZKeo;M? zxKdshrk2rEW)01Ku2Ip_6Sa|7$wwt&p0)Bml#2DF*Pc}t8w!G;FBdB3O0Q~pzIrcI z=339JR_fZ6uhpbvHt_!WEVbS~+x1sH2Y>xI_15F+XoRo#f2=!4Yvpp^_%hFH8ANS= zPP3Kq_q!?%dAxBrR=@4mD+~4T<=XhH`niUoeX;((n$+dd7)Ku5lm1s)g^Q)2(H^&w zpd`0@iY);f5x1pL*@IWRzfrE|dy>DbcZdG8E)UlJB>#M6-tGzdbFFfol+TSy{?L_& zjReegzN;``b#wh#GXUDoq7esOtrqu7`M%HW8nOY#h{a%rUG9~C1M|O8YE1G6)se1+ zo{*=fssoSbL!Ta(Gn>&|7+UB?Y1!3R%S9}ZPeqPhs3eh~o!Yy6yyo`Iv!PyMsp6VU&i-cPm4AYQks zgSqm)l;R2J>Jz>HvQpF>I`pU~AdCD3@j}+-;c|RbUy4z}r9YG>sm1E#r(W*vX6YVR zg1GYG-XShVRJ8bdcQ<-{T3sQPpSmvsu~j+C^~^?ji)dUdHEiWkt-_CBA+be%sZ17t zSmx2ngBM*d<=b9KNme!=>t6kHy*|C$XW9%0g1myk+^8+5s+oB9dM$?&ZgmyP_rBV^ znx0WB$lG!?x>HHl%M-c>4;q**tL8>ETB~Nb`fNSk6V3RbJ3CX&&R3(4&Ch$)a;%E& za(-RCp)5Qtaa0=Sec!h#1H(a-4{~G{in-n_&H1U9Zg)q#oj$u+y~O_Y4eR4|C0;BQ z{KY({W6n)!%qkH@(R$bv-36yP+kGn*_Q+1c{G(5Jrb91Yz!~fn~SBl67}GbuJ8!VuZ^yJtnZ-DWY%ui#nsN2 z+WdV{zGNTYj&#+ZEVV1$e_9SZ-7_n8dLE!|TTO@U${8OReK0y}mAoBejYD_@eJHyya=$)5Qy=de*(&p4XNksTXU- zTCX}J*VX5p3{R*%4fSaLvh`~4&h1B6!#lH zaaDNCqv{Xwr3LLUIb2;{Ry&akNQuwJVW}L>PfuSj?X&WFRJ)G$X``|rG$(4=rRuTO z{o9qS{!m}o=k59y0{Wz~t=-k`;d|kkEmh+1f1m{-yu7lF?!E3C982_fwcH=pL;OI} zoE=B*o3(5#dge;KNJ@zL(A&?;WviO-jy5azN%eSHig$gcTVB;e_!^t_#ryv6*Vc>m z!gjg7uZEZEr|UfdUxeq1EuE|EwbH!o=~q2-rK`L=C{s~_TkS+`wEad)eL1m^EO zF7+>6=gFL@HY6~=iwqDOfRry*8(NNE#ophjHs{L%cey`M4wz$>%xEejL z6l+98V6(C=R8uPt=UdE-C-Ar#LW3VImlM^29rm(ku+vxrF!#0op_lZgktT!B);1Oe zStj0fs*xazp7)Ipd#_P{SfA}wkMq^|ZYjyN?dIr4f5)rMh2GECUc27zl>$y?Wx-K* z%Ej)Ecjb7i=V21G`lo5sp@&=Do3Er_s`Ig0Ld){X#1gO7$9B=NK4|RSYWZQR+gewQ z@$2e)ulvty(V3|=N+(tIDs~p6_;R%q6T;fQR=XiGR`0OAA6A#^<)>A4Bw)~OR8RKk zk@6s^c}MJtmHO;O*Lj*^ZM;BH54!O|H5SdeRGU}^xaT4QETH>+Kivq36|#=31d*2a zm3Ft(q{q$L@TgQImzhc{toO9|JGdv)Xi^KiF3U{jIZr4dceSM>LY?f9m z$Eu=x?R{MBnVqS(L^SvaRDfos92@3NJ!xgZ z^=LcxF)kW}1vY=ZJTLbDq%>RA&eKM6r=Bn(=S#_ISL%^wfXMRkS`U-D&|L@+2CKDt zslMTJpYQ$s)T{8*!?k?3ys=rty^eP8Z0-M8X)H^&COndi774LJx2M+IuW0wnheq>5 z{X+k*_kE*0UsVSk%2>Sa|7xGkHzt_9SaEQulhv3n@TNKq zUKCE_Qh8y+-tYZG_sNDwrQB?c$QOEnz0G3ewV5U2&>t)3S??^b%jGX-dAGj0JV}(L z(nIMkO|>%4m<9Zg9Oq5-$Hd>MopOWSisqZQ>$QcgZ*E-b(^8{xrGBLM zM0V*+Uf=n0U@P-%`E{6a7+KaeWPo0u@n`W7M72-!B#Xl8<=gRn`O#0Nc{=cce`^*y zAC{gF)rT^%7ltOe+bBUwpldk3ybG8cy9|%yQf)uhH?s9g*B;eJuj^BB*@vawsh957 z%dFV-X;#y7;$R}#d@>`%10+d!zhpT*fLF;o6n8Ki*~i#h{JjUwyRDvtI70EZn=^N& zZ}vvsuNEIF`~Ebx{A_+S{RgkWNw;Hac!uI|FMHPdVSmvsbOhN+-!An{?B0C4Rn1;^ zMJqRZZnrjVmhM>fdr*nA$C2s+bEI$h^?L8@^gpnE{F0MBdAqyh@11h=)Zyl@m2D>w zk9_P`cw0L0WKst+P}KQyX>V5xGxS9xMHlkl?d?BO`(UAZ1IA)cy|wtFI^u8qQf_RT zx1~5+$?toDm%_s)D=;s3KRe}vp(w6?z7%2**zl00>ph3hvs5c_s@W-@`m+*g^XIki zYPGuC74dlEC#Gop$Yf=2mL4mdd|xZg^WJG09>K}-z1&kTdnG5t%FPsV5(=(XMule8 zQj$pQ`d!zrl`mUaj6uv6IwBf&t9-FWp7+P<;=93sA5`L*Qo!h5)>8Wu$UC#`d3lS@ zvWE0GrpKwC5Ff>Sa6w5j499;NY9pK-_Js z&*w_dbL17nzPB6govs@_5|4fJZtBmA)r9BE{xQq#KYG#1o?MT|t>`FngH znt_##qh(Ktkux{Mu;(isRwPPuuM~ItY*nbUIZCczfY<@S|8f`Om|tZlnI0oS%p+bn zW)yB1{}Li3D#D^&DG&ZGEn`k7WBL;7=8S(`O;!f@$Jp7JJkRKZ>&&}0k|;BhlOLO5^w%?R~IXv_4u$m zqIJ7{KiB80)#yq!haVeHw#maOACXqEAGW}!N@t_dsiH!QwT(}Hy6^l{`jmeq2T~uy zg!c+X`!KbUwQk>-R*3>{RBt?v8>J9ggpn_HPn_d^?Sd_=)dFboiPFN??2M4+Qu$!# zS$R(y-(x+oRh}2Cy?KU1wAuXG>B)!P<*SRcy2mr*m2H&|P9M7kFTn05hyeL%{}bu+ zyz=3nq=cBWStP!~Hsv$X3-H6WO5!C!dIkrD_e`=}Do+fw@prGjfy=$EcJ?0FUvjT8 zay|lNa-~|5zq7~+kD6ag;*yqp;+@L9)fK#R3{ajvmfN}h$vQi1Hp@{AP%IZhh;PZJ zGh5*ur}|F*V05YnMi*8f4EI5E1zLZ-C!pfunBra#FTUNy=HT5%2^VXp7DFV|fmbZ* zM2@qYR%+SP>i)6%8iR9{X8+gK`h@;HU#Z6TUjNt2>1ZwT%u-K0tuJ}!)<4e>X1h3z zfOUthg~4&M8o%xiG=m0UC10o}7psq%sXxSg%wQ7YUghz3>1X(yC=hx5shn1O21ga* zY)-tX)-QYI+lp<%ddNJz!;{9fvW8ETFOS}OdQhI&Avb$wy%gqzI^C^A=nzB%+YgHf zljnXt3ln%+sU*)<*Pi#(nW-NxRuhqL*xsGezN|mses{XU-zWd+>9I%YW%sxGhi%c2 z&ubMX)bZ-d<|PxByM}Kknt<73mlXyZ^qcN@SiM$zf@ZY~?L;}9C@&|0*ePGM#b_V>!2cgRo0Fvi-YCq&WimfMxafSl#m zVu(Gd=5H$LP5EE0CYTm#1#1>hCll;4rr*UrAeF0q<^_)Zj8996<&6EgSh`c)ApxQM zhs%){2Q^^{^M%NbcH z7OO>6fF2T?n6EB;U5KD~)00veV}8A8Hx~1a{x8=jJR3}OJiBYN@3Ub%T z{!)IBXqp8!z|LX=^Yo8Z4>sMs(mEIGNcZe}g^tj{@9JSv`(deW^_?BZBQS>g0jpOO z;C6p78@k|CD+a2~R_0fUBeD%?2@Fzu|De$8Zk6j=E!gaux5E3CvHJ5HBAq zfSjR+XhA*_pKZVQ{Cy=G^>Ve0-;%l(UFH|=v*xoc5tmk##@ZWg^_y$4u`{fIv zgJ7~ecp2u_^{IBGseO68d{_?KfE3|tysdQDA6pJa`>sBQde|c-!f~NFOlyg`>m7ay zWD=IZLUPuM`9Le;53&28S$5Sxmmb&O_bUeq&1R#oU|FOIy9tg4B^KpaD!o|!$)0CX zKuotQ(`S5g>vF!bS;*TxIrcAz_4Ddkh@|E~ zu|z?^ zC?%=L{-rOLOV5j8|JxC@)HQJ|%qkq_*VW-@&tTizae|Wt9e7bKNCETkcscRvV5%Rh z+wq=X?20uz-}QI>L0Q?XSIV8f6XU<#E6%8XWfO{=?)Jn+@8bJ{e!pnE6%}X>N4yb`QdY*XUe<`BI6so-388 zI6Y+*ja}Z@!q)hk`ju2*2|(7>i}lafyjXcO(u~JD_Q}BVSGq=jiy=Ymcc%U|8#ep2 zQ%;Zx`clh}RU?QMeGU(1Nkf;d2 zpdnyD_)TMP(4AVfUAgA#k)DQ9-tP%~Y-g_WS4lbZfNd*U$hLV|?cR6Iu9d;tWJN-- z=6hw)Ih&DphTV*hX0?iInC~m){;^uo`SQC_I?*jQD7Gz|pZ&t}7dLlW8r~aJnoWGU zp20y;k4KG<`s0fkJDLmAPrd0X(&1M3;1xG26)q=Uh+V;(7JGeKina2=pE7e7`{V7A z#7690HQ?3Sb9cUc2gemI3>i@(J@lbZc3oJf)+f84zTrij@2)z%tAyKqHjl(Zd1rTO zBMe5w1UJ@Pwr*%;oERfZCyHCpOgOi+7qmm%=XC#=11xf0)@G$b+(nOe>NoQ4OeyU{ zGP)2hwi?9eX1UP?boNSZ#GJWOA3#_|i1p8{#t<8MtCk-vJ-tf$h!5ypRuN`0>*ZtV z?YDJ?tu=3yc`FjVxeKv7q5p z5I^>>F@D!IYXsU%dpdU!!(n@>#cH{TOTl4zHTD&-bB>i(d+m;eGUEr0D6V+x<66OL z6-nkTs}VLIT-1DKC7zq^suf<4{ebL%Q$6>jR>0h`+ya)YwdhkPyP_1M4qq(0)qkkj-7Z8@w_-Y;vK zMR9Q|jTLAuKxkf6BZ$@DHjs{@L+$+5lXk#A0(8FqaC4eFUl1Xp%+AnU?gNR8O@esQ(fqtorb}J87ZDg@8b{hf*zE| zsrs6S!_&uVur{%c`3zRnnOeVEx%dt&W~ehZI5Z2Q56{tZJY6UlNeT^tj?kjl!3rLrM01~2t(@B!^w*B9FM<#^BRG&ObJ3<&_|P&$dRUAy?7BpqBD>tm^s z#bw3sKa@^1^hQ@%v`$FCxw~IItUY+E`F5k0U@(eolfm!~Xv}(PhBsh8wn*r5e^1K) zLv_E@2(VkFq@Varo8|Pb9PGem#bY(WGHB2nr4g%v0bMIEcDf!P3;?=PB=~7hU^_c$ zM|23k4(=dEz|Ond>(gnpNN8TrZcnjG=?OZ){J32@xC|B*w1j^wUVgH7A;SE80aXDc7IJuX4h7V&0tuyk(SE1JMQ+SpW z5*E8lBD|YYJ8v9nZ;tUPc;Y;DI!43I@Ob&Dyb>`s z3}SrzTcsBDP;-0*v6q|WCuRsceqFmnah0`LetH%_&$L(apb9k~3JaJ7M-C7R^3m6G0nbkMHXXEJ?Pd z63>>Jb;H8OZ8}+Q+IGJ*kZQ9UtIP_&*8fWFf_Gx|u+FU@F-SJAGgicQaK}gdTo1uS z50^ruP|rhJ$f^&Oy<0wf9r?bh1*}W599qZDBc;tOT%xnp$Ou3{>_Z}3ekmpC%sQhx zF}=js&-Mq=BXQW9+oiwVbqIyH&8=nw%a1l8f$S2qtLQ`jIId2caDE)SpM)Fn;OEuC zcib5<^I>bgoBG5&#hG2j^#|ZjC~aQKSLacl`!7<7rsLX?a{L%gD1Sl zfQK2w35|`J#r6^XIZ=)H3MX4DPF3e{Pz2d;Hr9GnDTJ)6I;dLA=ed}+H9kC(6L z2QP$%mybQ!P9KBXiKM+~EO>*Lsx9wL+>(t0O>++H@k%D)X+d@bWSU3Ia>7YaibxvS zHDct(9NQ5an}@sIJ@XTi?d%CyvNr70dTWFY1Ce0~uz>gj{5D>K97Wf`m3v|SC zCE#AKOnogDKu3!ly+n#ANl*TGu|d zN_juD9qf+m!#KUsb+J)wP?1d*8J?k0w_CNIq-jn!*cdC!If4`BVC-k>Hc8gti ziUQ3`Ya45)bHbkBL70DIrb7a01*ifHz?z35ie9nZS!Lp}hs&FVictuUC7VbEr&r)x zpJ=?zPKXioMC(W#wy<*+F;w16V+5HWyES;kcALNlSWZtXcSNRe8lRWbYBk>Mliz@` zRv{N=j+lvktT!vc46_1A6}t!QtbnCC3&VUg3Rp*CDZDk-3N+6vsm!++xVWg2{VilU zmWSvGz3Q__3)^L2GE(}b8fX{`@=kN}WuMFsYnaUE5f}rk7ur!o&ACsT)y$qH+$?wv zX8*ND3WhG)px^jSv;$p^D`ACNJ3I%{8Xo(p-0UWL)_1%CwV3&PRuc9ssdBf{;1Ko` zi0NJ|9gl&p3c)?uJf>AH)N-h&c@Jg7VWLmiRqzxjC@V^g&0alm3HAp0yVX7M`}frY ze*u~RqsK55b0=YsbVqFH+EfR-S8&H)H8xH};ALRnEcOkDeZD-8Pc5c>c<;t{yV0QM z#x6yBKI~-{gT;Qa*PV`l{gER42x#@0Y9^j0jtc*U>#dX)&au*WF*W;PjIbCQn-~KK z4hdhizYX6;l!ey}Cx^x?RWB#E-0zvOFC30%j|1dWq|Iu;LKHjXuVaVs>7Caj!Xko7 zU-Ld$uh0rIACfJ)L{DK!U^dX=xB7?B53k#9Jl?sMIcJf71KSq!^#uG|EK)S&RBflX zorJPl53yi)Pk4Ov7=J_C?Eir$Xqo+1uzqI|9j_0a1Ovx2Zg#TxGb6DD#NOCRb~Cg6 ztwlY0wYu>lX$*)2Ekq{Je&jgK0>2mW!aRl<@C`&U#a=|NNkK85fj>U2G`n@Idy<%5 zyw??RJ>w_xWc+y~<`^`c250N)H&&`OdwLpYh!Bkjon&8am4cPW|G~Mq+!cNenF_;} z0*_n!XaM)@J`w}8E@1#CE0HJ64$@bm^!P&JA~OtthqltSU*97L#Xopww{s2bEu#7P z-}sO83cHRk&B_$@zEK??*G6Yv;KK9Pw9!0<=UEk7)fyshmD26lqE`N5pS4I-Nz})F z4XEmJqrk!y|2|Ut;nPsr2ep>Jf)ya%?yLwp)9Gq(He+M2DSr)D;lh*`mJDgaKO#9+ zx`UI?`oGy+fKrLb+4lvPqkmw6uynhu%@2Hv--TGvDaS z`Es#xoJb&YwN+|XtQaH7i)CrIjx#pI0i20S&$3odRfo08f)lUSFKa#huo7@f&y>&Y zzVT}9lw9Z=1n6w(NJ6!67ONBZoGK(<0BM0Exr!%)QRWO3`j@{j<`X;$rU?~>YC@`D z#UDxoAH%f3q{i0}58^MA9DF(0HQ)YYPdMF+h2(bxurqhc0}l`SgQtj*x=Gu>>EcncO8BMk>wkzB zo11^YX2Hv)B?bqb{|9qpQHx278uGI3D1)$D*RUuNc$g`@!lt%f`Si34bkzA*80Z)V zH1tZZ_-i6OySY zaHqbIUMo)bM}OHb!`fGC>{*x-^oB=wq5Q_Yy;JSsg`@|J)_yO(4uoR8)*20#)k@D8 zfichYlV0K#KyrA9)-qXR9>OD_Ww3Op2NsB5%weS^Q}Crx%1QA z*X<}|8zdW8f#bBGpU&B0RNSDJHFm&yeP3_}d-=vBEx@*h+u zngGunhH5P>_D(98E%b%8jN9!Ksmcpw*OC0^YBR+6N_n#;Zca6)>tWRPL|8NCg!wuo zsiz;vtz^5U;^@ z#wUW*<3_MHp|0=C4KjSCXW@W+|FN$HbAb%7>uv1*!RmR_{jp!yc<|Hdn+v7coyL(w zhb7@%SUap}TG{>qoOc|=H`U5~gsItS2}iP@Kr{iKXVpL(L?-YbuGL1o3K2GYc0^pn zhMYmg@?fvpN6+TuzmQ~F?9^Lm>!+TfE4S-q$Rf)}tj0bMo{dv zysc)eJ99xy+bGyU!}efxIho%&6X#*YnqlvH3Ti+Cu;)k#vXhSsN5Y3*sAe?3n7nx@ z<|@$` zTc;2lbHpqkNI0qdOJl?`fhn11BJm=sv>#v4E*o498r)hC#m6SmZy%}?%S_ySr>E}M za?yKn6^JBjhZhT7f?vSijy0leoAp|)tYdv+C(Mz8}N|YPH@K`=n`dS_}4RhOn#ol4q+q zJptGA{Mo*V+V1oO?R2J;q}hw=)Fw z&1f*Q*%%D`o;+KvUU$kBzk{W)*bKp8HZL%6L`p;@F=ttQBI9D5*aTu#tNn@OVK9$Y9$%5m<=k$(wAnJk-#@5D9<&nT>c%{Yz zzrxt#liTxWuO{r06noRt_8eny!-(VV|hNn|Gu2i*wG zgUmY10v`9KUa&9pYWJ`(%xsp0b%7PU@p)#v>M0RO9E34qWD9@rMpyMXGzvG?`gab{ z$41W{ahYl&QuSesLAm&#L=9mmVKtH0Gp zZnEWQ2#kCuPz{;OmlVTxmI-9Wz9{^PTm74Z_CMh?lZ&j{x4qk^v(PIfR`iumHqP`C z-Nuh6VXbO$7t9D2iRd@B-=)gC-W`3$54qXBo4sSVvB<@(?7gucjh>(**$m<`tQ&Cv z_JL7^WH||o%n@ND@8J|UWLl1sX|9mpc63AWF)8s(@aEM^3}61c^(aKu%!b9l@kFj@ zEw(!j8oY$14vRHM-gF(-LVsW-d5V58k0GH@M^P{cIZuieKs(**&aek~lI$y%&*3TE zLaks;@KB%@54y`vCKHZ#2cFLE!KASY_zV0d@dVb5{gSx4M|#R$2=j}5NEV2x^1;bz zz8BP6Z?kO0z@5tJyZ|Q{+Odh_$`8S9;uV?;BUZ^~vtD0T;>n&MmF51vT*W{5cTPSc zt62K;U7_>r9%XNk1=p$(Kf#)|YT?9u8+(=5TzEGv@mLgVqWy0Gy*VYi$WU_Rr#@DUcL{udYH1G^%A!AHWOA<3cCyjknj z96C`gVCb|tzhWR^$I(l!Hd9Lb}tYX3D4>1y?7$HBbblmdoh4UzEp;P&5G zg`}cUvsy5yAVRn{&NAHUI`kNC`CYwcKa*1j@Br^tOS}s`^P+2X2&RpgCcld3=L`aU zB)Se`vqObu?>5VYd~l4Wj~@%#wze z)Bb#Nl6NrjNf+_QXXVU7ayqNojUmG>c+q!uH;iew&!XFQ`B)o}JpPn5XYH}t?CW~m zHU0$7{HeZ^dGwK2yFf+!ovtFjCqgWqFyGbl)dQaq7Yc)yMM|!0cXzALW<9J=4;cZr zAhli@}k^LgoRJw=8{rgLoT;hI+Fe z*gAJgjeQFl@tYX%Kh_E_f!Aa2($K`BhS$o$x)SNYl-A?c_K514Nvuf-rPvFtuU$@Y zz_Nw9VJnL`+p~)4EouoVf?x1ZNNpGl43teoW*#j+xXz98winpha&i{k7l&a{jMFH1 z`RB_Q(-=m3xZJF9dRR_a8mtPuy_K$t0zI#u^p)8l4#?kMsWz;VTa}Fy&xc{xntw1Y z956l@EL|UCqu`uj(;GP_VPGjjpjdk}&aSDBn+@tUt@DkPLH z!eHfv!-;V;c&u;A4Wfn@>S>Wz-mIQtCtwsqfblxv1$aAV8W~06+D+=D3z0C^8t=n? zUa@UhuyGKFg~!>?!=_&;<%ntXJm?I282Ap$ea8?Lhhim=otV(Hv{U^tig@I#Z-^EA z&JHL{3#igUt+cn}UH7g0VSzXUgT!TBV~LT+80c(r>sb`*Lix~CtYzFu=pDP0pF#8E z){6v*61!?YoV|=9-H@eAwUVd(xPHK#5)*h(9Yu4jY}OJz%W6Dc?aZZj(|qMSY?aau zXrsn|=h@JSB(rEY`Glj!N;Zar7mvG7Ht|I7OnH%Iv z$_j<_t2NFgVNbF#@SBG`!l`lky$Gl=VLg%L;(a26pXx2YorE>9+8yz8v2$EuI~nZs zW2r(Jo$PY7>p13ObxsKr!MIs2Jb2M`XtQ5e5Z{_b$;|f`wVc&7 zUp@3T*#vPgGT5c;ICBch!ZU=D(=JdOGmIs5x>~VzMQ%pyA1mTXY1oE#l4Cr=VosGB z`X^Gn+4Hh;oJC@r>}n6(qT@F#eoSpMQt z7s?%f(2SuQS*ym*p4ku8c%f^ULf8XrX6sl)jc&oiktfU4D2P^*4bI{oJ84K&w*7oh zI@Oe}aXOCkBkc#FLs$C4LBmhCBJT9JTAk<$oF6(8io~PZ>>A4w=NpdALlk?ka;;t5 z8QdHQixaZ1H$%uI+=1QNU|hz`<3C#)(s%+&a-mW@>8vMfP83Vr!J5Pcpw;pDSR*h( zSTt^nK7CM6(7bF!{D!grLd0*iI>GNTn*Bn;ot}A7&Uy|n*iOOaBmiq)KdtpFgxyMo z8M27Uc6OLq>1lcs%Vf1YNKjG;yPu!Ox>pJt_Gon#mtym6)TWc=&MFsm->qFIy860w zI0R5znwq5t9fy%yW31_ijhbESc51=xcz=+NW3~Qv<*|xg8Q1}@(i*_QB#nlqrB|>> zaf+Y^c=0fpla((nd%Rv8k%YxkEZ0&J5N7eV@8rUXzR{}Z%9n*>Yw?S!dTu%%kNa;*JkG_ScVylnQ*Old^+(k%nYm*=P$hOkIidGj3^}OW7YDyq1#Y}_396Ow=bNo{$`LS!PE!Y5VCp25XtzY{Uc;9}v?x+Vl8(&P9NJ?Usg~I#~_1R_pADeA83#bn60Efx!uR<=;5B1NNwm zmn$EG6z**|CBK9hCcJm##_`upFqs880cWKha|-_W$i!&NmRC}`k4{DWEL%N z7gx_Xu9gq%#2Rx31b^CZN1g4n)3E6iTz&B(o(;ss$zv=vWy2@!uVEL^sPx~pX`GEM zn+NM&t1%d?MI*8?m4|C-$I$6oBRV@yDNz$riTtMR#;#(V7H3A{tqiXeM-Z=ezTOfs zH*3U(*so&tuqLQGY2>^WzA~RlAHw>~)gyh!_v9yurf!!5ZnXD1wciN6nNb^1Hj@?!)G5b}VU&He|S{<;|@JUD-&)p~w`x$VsuGjk8Jdf|GXE`$gD;H+(WFz>YSmZ*_*=@kWqOq(z@hH+%OvfpSyqOV+#}4DW zV&Y>>V(Zb-kQc}#r1IU=TP!d;H)zC-Qu4sWQ{HvWSU&FC!20k7Sg}?hwjq!2Q&({R zumJ3v#jqMrN-L^k=Kyq=&xlF6Q4L9UJU2Tb>{Wujn**>OJKe99g1n<+MJ>d8ZdDs+ z{Jt$;J88t=$F2hFMZ6YYpS89*wMNWVba~YM>eOQ1oX8wp&w95H1q%lzhlS!=pQS9lPafSD+}OHn0_FY0p4FSzWKEQ66g> z-VaB`;9)H|KX z1~6>!Xg$xjB9)!|1bM>PUhg|g?`ZG*e{GtYTqV2{X@woVPm}-pWfJ_Rz4}$p_fUa&?CT&`-{+UFvBz7>p9uyWKrj z40I5eovq3qp#y0__!GPBYAKzQf_3Ec`JNGFhQ6=W5;&3*&hcoV*W!|-z|o$8OYmNg z_KY)+?M&to;uT}}u+n#Hfhhd@Qu7ygsxRKc+v=pggCWj}zf(^-7Yd_~-NEC-R>3e6 z(Xd`g2NGfQy?Bed*^jy2UC23{j}2z`ikRlu_jP^x4pHMZ!CcnL8+Vx2#p!ukyRZp8 z3!!FJZT2Tl>-;5X4OD8WT(PU5Fk3w#UQ6~l$5=F&z5K3mWt;LL%}+kpZl%!)P6dIP zK?zuGkLp3bxo9Vg0mpCPQX*B>l(y-63@VaMES0_gp|qIk=ICy@+Lw8g&K z_Q958ZQ=Z3MbK=pScuTOayPSCRW$oz((EZ>9K2tcZ=nqhiN-L zqgVuuDkAH=CcH8XU{)QgL-ZDJ0fSS&YAGb;aHC@8Xo25umWMsq_Le(gYUU@hs4rF0 za`lIBkU?ve!7ep_F=3AO9W&Kw9oQ}Ot21Fmqu7$LUJO9H9ohBkU3pz^z^VBP#zfqm z)YZc*F0xKKaFVaKQ=K{_m@i`DMSkUzdV#U+W3}`h}i>1epUoqkGlZ z9T9RoJGMAI&I7()8Wsj58RtOMo%aIKfhjo~4)VEDzhJbBKGFg#K30*P>QF3l$Bun= z0~?-IVnpYA(vBJt0=B96f;gerD;~Ld^s(76>RkNn-4aES4?XcT;Nmx7f-r8YgE{R<6C0TzsKIXH?FeJdf4UDQQ^#Q5zxUyHf z!txQXHg7Q-Zq-Xhji#|HOi$=vF&XFEE!Q@fkmw1%5RMqUifnKa1solZ!R(u_P}N5<=uK` z&|;8gcA7ogqL$Vq&8L0zB4~7uGpz3CWm`WXAM5#X1QSO zeXMro5uJm}jkm+b77shoU1$d!=V@uQVX#!i)A5S^9vzM{JAVicTDSQLl;u!L*!RK!*=oLJSl} zF2et&mOzjA6N}ZG?)lUeGg=g3vDV=SpRSE6%(#aoxkmE}iEi#3304AV4! z`Du21iG$s)RwAW%hAezN$GS4kFjq{CVR=JCMTphV9$ieQ=iM7oc^-y#Em!KX^7&9I zwglYG$}^ki8*zvUn{r4?zqGM;+6=zrp8dksr-SBeouwc#D&H6(M>><%t zCxwmi;GMI+;r+|g_&a5v4+qhO;(n~B-cEDn=CrC{8e|u45$S2(@ss%2VnOuls1+Rx ze;^UWgT&dLmIo&w^^65?-q|)J6owrX>|@ur>Jc#|dSdV)a972>?F2sGJQCM-3ZHX2 zonqrWE0(JBeOCK(ra2p(tql8S7qUxPELPN!YR}f^h4H7LRU*W8th1y2(gfZC56v$F z+^eVQU+iyDP3Ic0JF)Z4ez6spyB(6WpJ>gMa)MFfW;h`QUW%DTL!7I3*Q=A0_gEqP z4|)}+n4HF1xKzuW^}_>Uzop4BqQb)(qeVqzl)O|8$9^v9$ug{B zBW1TU8<9N(FXm^n0}j_ZS`G(;{^iNhO8h)A_xaLdE6}LcE>zBHdr+&5g59;Ok%dx= zn2D9*lJMr(C}+FNqOfxqiY5oz8k6E)ZG}mhzofYNYsZvvy;W^qbOnZFEx@b9^+W|R zWXNas0p6?KN@n`qo~O&NRX==dcn3ZfQ4nd3{dG(@E6lSmOhT%-SVY9o!o!3Heu=0 zTCCt#)yGLW_T|#$SQr?M5DBqj-V84Gi>|Q1F}mKDKiSR?T&@Oi9cLoZQoQit_t0N{ znMnNiSUIqq?WGb2VHeu}jL$HBISYHhnBzIQbE?uIL)a1ell4RA(;TcWNa9K0-WYIsU+MsrVMdpMjF;L3?LJth9csJjCwa)pqufNSQM%f9W19#F=oSSUZ)1 zqxyX6KYo>2@~U=U>#jLLI`gf}7i<})(a^WE>+E$_J2}I;9eV@Vvevig$3{6}r;@Nd zLo(!J`G`RrDL3mGONx9_4yoiUQLGwqZ|6JvO%L`r+ z#r#s@ch-qMm=?PXG&j&8av)ZkXji5b?cJw>Bfm{+0 z@9fZl>DiNFUWyU2-RS)b-Gc!_SD_GC3g&`%vXQw`T2dJrr`Eh~dtFICV@B%IlH|nA z?(*S9E4M4fo@+LkND5n0KSN`zH!A@$fUPB_N6sGUGo%f|;uHtWWxEzhCeZ~m1Y)w% z(|is1kvIE1Kee01A!;L5#Rpm{e`|(Zzg;Sp5nV6(x!G0v zhaIB?{G#o?!^2>U;!<`K^E>&!G(ThzLZ%nZJZ$alu8Gmufk#J=sG?Zf@x}w+(HdLt zu6P}P(P;!r-G>2=U$CJ0$z9xQyES0Tml}57iZtrz`^*T>-Fc@zs2rn4Oko3 z>LvU!{6ptR?UcLUl%fyqIMcgMb-va;C)|#cft=f7Prns4c1ysO$EgwYIK;upQ1m1g z152B&j&&>AzR)#&#V>P$J0_++fK(0MIqwyE%PXX%A&8>=cto%uu_IWQ^+Fes!{#x} z^=`f41QQm{O8MFeAiiVOd4gp_qKWbPwJbFmSOJEjoxe|dQbYk_4PT+x`A)PCB+Gin z3&B){T!^uf7SC&gs1DncW`%oW3py7FUw|G|FS~NJiEj!2prNn!4lUykio@`+@0Vt$ zvREiA5`0(j>MP~MM{y!5f0~u`v2w{DnvbUoKY}&g>M88Z5r2n*iblYv8(L*o zx)_ewBD~KW7Gs*PuCRzZJ+Fs(PIjS+#4T6yY9(3|u-3PIG7Ibph3km(+->FXr#Abf zuk14&5@Nfjo$}&eoydkaJqe4IzZpU^Y;@;+pZSg?(sH$fh5fgRhec!Y)(v3{c(jM?RGQS9fzGq?`&4D)#*999db6L`gXm@ z+IC)qs4>leqx7;XyVZ$o6aix~iUH_-QCM~X)QQx@8GF@T5kc$78HTt-Z^{e9%&&a0 zu`uOW#1I2If?tHo@}YhtX`rd%EA!tN`oy4rMK43R!?y` zGmZZynr@E`FWYG*FZ#!@600Xi=>+j8h?{*Ww3yMbhFCC5)x%zRn(0DySu2J9<^$ky z;Rsu~;yF$fqL286ygFJakwG5K zQX^q!yx6@+tdq*=Qao0cI6W%La;wtez48z{6g|L3@=G=P&6x62*zRmYF%@TpVA!yL z?AQO;W z2-{aQ3!+Dtvnl8#`yDQok~M&x=X4bkQbgxcV+WVvbzmfmRr+0yt!gFKcezyT!@*aE zM)}Pz2<5e|j|c@kd9{>g{_E00MeTxsH1VqJO(cWao@^UPwAc?!WWDlPE%Xh34hbf< zy478r1RgV~WgdSlcl$r|rC20ZAM9Kt+-ktkgPB5;Sg~R>a4dBet>Y^@nGuV`DPa%= z`=Acj7M>lhxxHg716GsSDkg$w;a9n#s_+zN-ar9i=2|0?^s(Ha6%bJoPM)Bc6>r~~ zhpp_Emnefd;nYVqzv#AT>(Q>!L2I>(*5t*S+pHo{Y7$oj(mnuowR22Fkj*i3X`$LJ z*Q&vbc8V4Y!ucL{tHKqG3+wAeIo+*RtL62iav(jBGaA;(v-T~BH`DiYA)kT_!OoU$ zy>$FEzC1oItHbUYb`TF-jE|k-*TZNJs~XdQrm?@!xu@dNqCb$}5rxCxz+*E57pLC0 z9$?`joisV^w^xNiV9%wf2pLE|;jBW0Zk8Tnfq!9*y2EBShN54$dL0}v zULq;PiexX-#jG%V7zh!0&ni4q+ip!GWtQ;l*$#Y4b|^L>{>!;qgWaYcZ+r4l^qeOO^WqDMrr{UJ7sr!6hrd~2JXzyH*Fk&P7Z_4^n-Ah|Jape+`n2pl!cz8tJnp@p2p$8k)>716*ivO9jhKz#lq(`tX4yDb92EbePeIs zMmgbM?DPsNu{I$9EN1ouTZnJ6QYo%Lk82l)w zb=<4=R=Ajj6I^%@bOmdPJt7VYCl-fgiN7z0?P^JbS=*SXq!sDT&Lcgwz$|*-6Bs1w zOuLKxk^|&FsiXJo!6(hw&|;oey+|)D?Ce=cC7uAy&AMVqE_My}i>EB!EN-~oyST5v zSJmIIlwL3W+rFDsPFNNthgi)1aC-;8lhuF+^Q?DF`D>Mr)ue~$Y<}&0ZDKv+KH;z| z)DPAY#v$!sw!ogvWIh8t3nDd8ICi1mN!EL!!(_KLz;oxv(InVW@9PWL*7@?pWp{SU z_3Ch{YvlHgsb(0nG#>nkzBDs2T$~Pgqg2)%j*NIcM2y53k#zk`dfu!Q_5{f%s>E6! zQp72=cu73t57mJm&f38Qv6n>D3NrSz@O==yqT z@X8mw>?8 zDfgl~q7_cb;f1hBL>rHE1^(^?6g)22A9TifFxbUxF?Js24jHe{t;*LuN7}NK?f-+D zzwQqE&<;dpz!f0O>~TD0KCS2}_8=_rL!-4deVVUsb}O0H;@`XFj;95Y6Dxu(+0|=j zka*MKR>jykD~=9f7oWhSS?HUcjypXs9;BqJ`Cy=7A!!R~&62^@-0GjViwDapz}O&BcB;vZo@3EU2T{_8uny5yQAS)VQ3@;q zJ&#@gs{31&LAK%H+p~AGPc-UErSnC|6PojR|B#)lJ+oL!o&|Jp zkS@~gde_wYSf9O{Nls71>BgrQ2OZYlvs!^q%CF*2ZT8veC6HU|^JM=o%9&lJoiiRC zdkn_Tej{!8{g~)mrC?7j_KuV7Ovk~Mn=c61xX7y%mDE_JJWSiN>(!r1)g z2p0O|sb}_|On;%2y$#EV8$$=PTS8J>|y%zAg;mA5^Wk83Rp)b9(B2G#?t zpB%VW>TA`HCufDd?LKY|REA&Yj0woWLUn;%LC5)V_j*RW4x^MO>g*`JgF8o4ndQ*f zYn4W)vq;DcD-FI%I-8wCAM^g%{0mc^orSsD9Xmn!L5F+ygt5k8hwEZ)@Fnb3$F|Wf zXXRk6SoI=hYJQ_!*s#XNdWNakZ$=8k!L$~p?Ti9@^N#iG6tsFWJQZ*Qv)-~pc=o9I*Q)%k#-?^mN1i10W`QL_)ha%A)INtoO zBeiS2`inK0za$us+el!+E;M==p5!`K()*q^Pxw|?r%uSTO8KGA{=!xpGSQiCd^Xmi zv1Hfz)gKsx9uyge%0Y6W)1UeVkrq!hi$zcDw7~vhg|Tww?QF+0Q{L(<4FuAzLM(qV zeS1b&8u&V^(=665Ooeyl#Frtnc`oGlv(mBW)c1NV;2kdZ>1v-KWZEmTp*7ehcvkaW zx8u;+iSC>8H>&q+b>Pym&e?yTss*iov>C!0#4f^+f@q74ux_uGzt}FRqL;{Hd6;MF z#g5P(sDV}KgcLQj4{D=pkWLbYm#uC%F`}AcXLeC7d~S#MgBb8`rHS8}x6Tt|J=q7Z zL{TG=ZdUDly`%5>h~htMrLwx@f%9;+6tE*v9r_(dl9&6uQhDTjUF(A6+^fY#GvH%S z@Y>}7;UcZrO*{}5w3WWuHM{4nHF2+twHzX3zUg)O;CMlbpc7c4B(qT+@F z2Qy-+9HFG+S!bJ=|JSPLN}pJq?2fhaf*Y9|q^FrU-#RDRoE*TvBO77IY*fCrc%Kt| zjF1^QBKRU15DAq#T!JyQNX2K@?&^uq4bv4RlgX#m8u@>`?j3}8vevi3|mB;#C=<11H z@6={;d^R_ z`8&pgW;b)McGqm>J^qimf1LZLxj!XY4)<=4!S%UAm4B$-BNd!IK*O8YTcsl-rTkN+ z{Zk_$jWeI%j1b~Owd-TAeDp`X|EYeQ<*QX9Eq=*MPVO8^R>S&tn)A|+r!hqiRZsrN zp-N%(pPl=8`b^#&n)2}ay3c!M-RqlZ;G=p&%diS?@3!XtSa}1VkeUSlxwgG2XXk?0 zVWBL%7BMirJ*(+Y^_980J@?ae6?;XGz*XN=zW&=wedy1r4;`3VtBjCcT~EqaKin&a zpQlgyboA_ru8MQ%QKcNp(ivle@AF`)t=)s{w?n@&Zih<2r~SEc|GBktsFob+`%>?G zg`fH)(zrVJ-@5)I2s zHj2$0YUSyXLsPGPJ?D(Zq3Xo{6;t!7Mdq<~{;^ektk;!3&-!yVs@Lmf%qy?@$cT(_ zVAI*h@o1_WJ#40a{QPb6^ZV0s+?wVRMA)n|lipAB0*}kgf!q4k1$mo)+6puOr$5h@ zFKaQpH-79wRt87 zNu?*1iQj7Uom%;A?;o^|McbX&VE&lv`)9?W&vV)g#*R9ab}{cqPm2O7|4_OGOGDgw zPe%Q7`go=j>_TUU45{~RdydwRXde2+{N9s7 zWU^CqMlbA_7Braks$B11>!Sbk#eDdwG2F|S4%t6jjPTxFt)(Np&vKu=e_M+9$IJeH zn#Rhk`00x_{Pel?f9$%*j982(=r=L4`@O?HJgHu@{H*J7_3J(vz4^!b>dX8Nea_E3 z9#8JI~L}8xNA5d)L0y zt@Iro&&zu_+12|sv*?PmcS(k6QS2x^`fzZC2u;xj*y?lkhNS(rej+}jem`RAEKI(%b+M<>55Bgyb`Br-%>MiMVl!Q^^m&xO?ECMp zg1wo>C(-je^|ikJa&?^PyHOb4>i*SWzA0^QPK>_aKP#5L^6Bs8z- zqvvEGHQSp3v(cK(gkhIk-`KP>ulCD6INn_zpx+eWu^%)?e|ta8>N}Gn5K}W+?te`$ z9X+sKU-uHEM~QGYYh{d${?U4~cdv)^%}6~%#voi|3h&8!+`ryj)r$wOrQd%a9%-f> z{-Hk9dw9%Zq)-?=Iq(4z&rjPKTcmkM}I`VVIN%mEWw72Wq#4@GYvr=(IeO}P@RJ{BCfmLXK+kXi)_@} z13CLL5;P(RP6m2XD$>+wLDpsnlAQr>CnO1KIMDU4l$y7*t?GK-an z8~w<*;IQLH!pKK2^RUR;5zRSx{{Q}^r}iKD0ogfg|B-)(?cX0u_@1uCFuz{gd8neD zKRyS(esbubS#0Ys&!68er~bC~n%VIq_S*h74s?Yy`gJ+X&0ljvui!*Xxz# z|A2k-BR0o>)V}!a!>1AkXnjZ*}}C&EUh~$>GJ}$9+%J&3g1}4EcM0`j6$m-xeSHXup@=@1tjb zME1{G?yPKV_VNDfJ^Sy);`FDSBqGIwJ!_?+~?ujl{w?foHt_ebnSOJ{m$#7sq#_Ao%#zP<7#3iRS_fnxRDVP@hkkW!NUqmm z@LNgC5p#OgRdH;LdVcOX`Ecg*V3X`;VEudSU$)PWpniXdSGAv= z;p`{9ICfH)iTjx|I3#<_5qqhy9|luxuqOV!_T`T;9sX8*iCeMqSFC%dUy&?dj@sbz z%$O9;3-gN-2TAXLZ7DjusUKlUINjsTw8HV-_Bc4?1$N(%6V9Es_vN>H^uKo=of-0D z=*J&IknBLW4{yjq=fc>d`LMqcrKgM6>#2j{^?NJ&*S+?CjM*b^5*w4^RAa<@r18IB z0vp(`j*n5ZTgiBR&5)SQ-!E%%D9-RduYLdcyIcwOlO4Q9PftBF;~1Z+w|FpPAJg7` z*qN1Vl{~3Gz3gmiwz?5$GQJ=8dciD zX|4DBK5Dnsr%}?GQhcA8`L8XVjLDB!&{h`xIq(tdV78NRv=^6aKP&Ld8GVpk{x-+a zUwb)yxtDwvz5jL<9hCd;pa;d`1aIq%SHF>^z7E!y?-1(MUfqQcV<&lU0wC+)$95? zQKyt?OW{P9S39w*1b`yOd_{Z(sR75xMGKGy@*9vxYDelC)KY!M++%Qw9m6d7)8Kw! zt4x*MAC(CI_FRzsfC+^2MV80h5!R-DU&cCG`_qf7SBI8Fb92kq$P&CmSa1vc_qD0p)YUkZ4%yO_599lFM$gsCq<_mwoE8H&>d3C_b^iFS zzN>6I!$9){y&qqt#96fF%TM_9b;Qh0Xl3%Z+DcJ%;A>PQjvbTL*8KrGVmuko%BiN@ zO3P1xJUgz~Mx^`|X!7ts_g)V*J=bIv(f?~bxkKB*oqt!yZB{@oZaad9XNv9ap_%N}y z^r(D)!dqkRDq<(uhw~!X_t?>*ulngu=4LXC`NDdfMS51Pa?c-_-NITZ+?_Uevcuo& z!SOSDJ!b>DkI(BieeHfytX5lz z2}baJ@+Ni)?23)OuBHD>57o14&!VW#*okg$hUp#1)-LzNtWb10?)Ka^R?1-lp&?r5 zEJS%c1<#61d3AO|-pERJ#tl^y{)?xzp49D#ZMkfswwtqOVtZI zXY*9&cw!?Eu-AqKP>r|k70)Q%_q{!v$S;WpaVJ*~`N1qdJw?B7jKq7IEw31^-?@3< ziRl2luY_^{|MS8JduH~c$AWcN=h3bEEqmd;h1YY>>AQeHp($JcXsc0`FCg-#t_dC}Fre!pMrx@Dr@yMlf%tjx*5Xl)**bu)R7 zvu-|`k~z;2Wct^uweEevU0J(*|JBwS9P{hYc&qzHf#|3 z{$SP*td|SE>6rxe&d}$vHoK$qaGVpuD>xs~pHSQ0%aObFsW!J)?+DzET|;ZlEhpe? zP_lj^KAuU=g_>P(@XF4X=~u14USxFP-*uFq^6<^A+28vz`Pd8dH@I=+pI$lnzJg7k z*v`&R9pNWBTyM3H@8K5Y9-Ly=y2rW*atQX#FiC$h4~6x`>h{haHVjYVEE0Ynw&%P` za$hVHY%xyX;-~1xaF)qO`z;6ouWGI1!(ZztQ)Ie+oIc7aY}5gTaUZMEbNH48rrsA; zpMK|Vy~;oPDn19hPK|=^Vs2=tQMnnHBj%IpE+G3;@I(TgCtn@j2V2xTtY(7TJEB(@ zUxVwBSwF#cB%dfXV5}d0rkSA7sa>{jt{Ob#nV^T730lz;ryc%o30o;szx8J; zwf5G-x0hz9$RGnxrjz6|o}kUFf}3JxAmy3NS2I-W)v>XqW~f5(e(1A(>tQUN)0r7E z4K+g*84{W2G8S{Q8KZ*JfHAD*;%kNq1i_>CuwPYIO~FzrwZoWks2QrTQsMIKw(f5~ zlT5`io_Go_1bF+I{R!@ZvlG{^tML_wQ$)+>aR!FMeLP-+)J_9tE1b#?W7s1a<1nXal5_-&k*CHgBVDdCZ>FkVyemGA>SQa7QmUIt>4k%DcrZ# zE11uq<8xWPzwCr4>MWx?x!AxpK`}KkHQqUwGs50FE`b<(KLpHD6H^)NR})i?d}v~d zOidG0?YS~%Uy|h!-!(B6s&indIm|gbWm7U~@4m*oAFGsZH$AGt(DYqTYu!@4X` z!oqdb#1yqGctCsgW#*POF_mNN#xzcy|_AE18 zYko-dy_uBya^_bfW31VJnvp6wwAdZjSHF-RZuC8;*XmTCX?YFbjGHSxTrdjP!$XT} zUtPWovLQWOl=*s37fBCyH+}33zA?A?NpuHun#0n=r2|(ol5rM~Z)f^SVt4E-?q}+M zu{$zVy!3FVktVS_9NokYnJ$Oe9d0k*QO0waVs~tUo8xtvU0CdnTz5h2jwudNE}Ia$ z!)yM?o!4d2^l5SvFw(=79&S5^ZI1Kx=FVjD9_it317Q-o1HNk4~ zUokzz^dQ!9V(g_c%W4io$)gI+9OvAitfP~U=}Lxf0h~fV7lHG4b@K6$nV8`Ni|HYz z$0}8p(5c_H;^4NFA~HQDF+IfeK=-D7YSVsEYT|RIq8HOcOpkTwo0uNa-JDjO$S^X+ z^w5ZLN8M%AFpEkV_h*l zHks(^&9lj5Rnqb3AGb5;hfY4GZW7a@zxRphacRAs=pgpDZw40<(?d*;DK#U{nQnuQ zN6pG`9geTNsd}`oE#`-q9}%~E=E7ori1{JrNB97}tqkf>^JB#PpjR7bP#znL=(^KI zVt$DEA?8Ot_lbV(h4BC`ZGFMa^K*%cLV7tphj+bQI@dn5;^OOiy_Oc&@2;G$lfee0 z@sX+U#rzQSL(C6OExmp&ME5<@qY(2$%#Yq$dt!dveC_74i8|NQ2`)Kpdoe%6{CGA) z6Pt5cooC`o`&3C6GnBC(&Ays_JHcMtFMC?dk5DSls!jAnyRm*Is}l30e{WdKkKlT* ztBu6`=v&G&XQ7o#9b+`+WCxa7+1tJ#6%{zn{p6PtCzF%7Yc2;F? zQ~+eTa4zp#3^=tvtz7oVvOaRdAMG`VsU<_FIWq^VlU{Vvi=X<~gJ+D_Wx5eM=|%b< zH)C++vI((3K-8yZ0>{&m^v7}-iB5XC?kom2&SfZWW9ffv>cN@3M<=~(1ML;o%inj4&-wcTKRmhO;k>fy3d|g>pqGoz@$$Rr&o~p~ z!2)kTwJUvo^`83a1-FMYBEGY}d+1s7FR$zP?%3}0e)iWDhB^G*^F?p^y}jbhzH|Q= zzT)Wr&r*Kt-#M?Sd_5HJUlZUGq=i&9dW&$ z#MJ)ykL`}|^M=T`@7lv%@~)^)WN;Ck3ZqkD4z-g{d=@K2tdL&)`Am%_R)|<3VuiQ` zz@2nYptQ*+q#*&N34)- zAWUL~WFt!dzI+D#5GzEi5V1o1Y8f~=`&Gs>hEAPI^UX4G0jkl@(<_1(R%i=9)%C5u9h!U4bNA-n&uvau zJaM!9&&>Tacl7gfdud;n(l@Dg=AQNG!`$1sH$A=86?wg>w5_iDFV%-qJ?!(-zCG-^ zrylhF)4n_ZttX%L#Iw>ptAv-`-7J+)$~rvvr@6&%>Z0XamHty{-py_I3(&7 z*tbJ-|FhR0<{p3U(VzOH@1K=!x4aJ3I^XYC1AV3sf39Z6;>lmH7*qEj&;9o)w^3vF zUr%`~e!i}c9`@(@lj+Vhx{dN9w6>%l^YRc|EROv%l}x?rCE%tK-4#AFX;>>krk2 zSz5iZSv{WD zR?A0I?~cCSyC%2U-}mRy@p2uj&K%k-$JhP00{73I(MQ&?R9n?!RWjD26Qf=WbN{t6?ltR-nlj8} zZC2O4p8T(^z5Q4I^qpt^=Tzf8*=6o(&Enku{&~ghAB}N$%-GG!)H?n1pUQphuP^PJ z_2R5X-z#4~&-(Yr)|Gymy+(h3x$-`gqn>&6x&C{jvDNsGG1p)3lPTJ>UH`tFW`JDH zg^}z2cK_52eN&!BV?1@ZXUL4-suxHNn&jyuNwnZ)J^P=ljT!QK?!WxXUNX~Wuf6dY zv*%2?(}G*&Ir?t9R=w_Y|G(87)2f48cer+qRrbsCW~K#`?>ZXWc)k z7GJKtFK7MozBRmmtzDdE#oxEDNH*g``pxFTuj!|Qp8usjVyg^`=KZt+X7cpQURwL6 zm;TgBP+KeK;WV0mnl$61DL=LTQ*-g&G^6)Yy#E`i_usQlhlTg3oc?F8?`g-qS^l?c zG|T13q|K46oCp1R-(SM_TJ-C3mor)GZ-4F|YV-R>V^}Gp4-e{zA8P~4;aGoPwqaNc z^uGT6w$Hx4|8#M6283uZ3$oA|FVSHSpKNq z|59U^w{-M&JwVSKoixVYDDU;lo;J7U+3=p3mHtcC*&n9<{nDmA*e?0e`t7&HKeSF~ zvQsPMK{IK`AJQ7;>7JFXC3NIoEAKV4Tp4!E_uFKqvnF0w9&Nkd{`|u}4@w=5v|4E2 zQ3n?K{u+LH_j?-QYiYONYGduwi$;)T#?w>o>*>?XKKQ!ri={aH*`6OY`_eA?)<*h6 z?fel>f+U^&jhuh$ksSK&%dz^W+xh0=?C-yS9;Gk)!uW32rZG?WiTgc6-)DXoZ(nP9 ziauKnJN5K~au`~N?>$S+jvolXv*zZL(y;@Ee|{!^_NTA}J{u2`M|rl?B-H!zlh4Cx z#P2oQp1)TPkE+Y_X4|7a|MzLU=(*Lon)Sxy#k*(Uk9r=?NwHJ5i3_Pkk=;a=me{cC5E1 z9(0vwb}_lTGWV(XSLOGjS})C=uOEDu{(dz(R;}+;-{XD1)c57q*u`GQlT%k)VNd&f z=W{*omhM_DxYP3+t%7@9UoMApjp2ND|4w6buKTWEo36jCE{DTbZdBjPeLmfPGL`>jyRTI5asO4dBE5dDMms(Kto)Xz=j8KX>c{t$d%gOdsGOh6?OE^F z`*x?+Y*e2owQ;HIyVLdK<#@4KaH;3-REOiqCH;B4G?#mJx$l>&|IO+9^UB?<+*7?i zl(%|B{yE>h zyXCi7-M*bSN9r4|-TLcD<$B+#>{q?i??z9r)L+*d74?7C`|k99_^;*b$0PMJ@8Rd> z-*WwPYwG`Vr8%g+>bgCmCX$d?+9Fwhmrb_wCBP)%Bg;Uo}p?8{e(!Z5=$V{F9~sIE}OQa=-M8z0c;4 z?;m^aL2Y>3>tVID-oD?@|J3z)q}JSQJy-|U^WmwS2UC3yPyJ+_-K-rOy+(hNVLz90 z^K*MwKY#!5oA=9Jf2g0?d!zoiI@RmtXSuObf8K8ujQ%!`*0cGs*l6DTEI(dP>sr6B zG~ywQsPwU0{yII>0H_kU3iIY>hvHq;HrRn7G`HE4?mNll9VluYT5-bw&=}Z>){`!Tra2C71QzxAoijP3uQapPI&dqk38Y4Bv46cish55(_0H$?pQ^9)AL>hb<3=xf;7$1~)ynPq)O~*0ZX@-q88*`s z=J|)7xLG-?^$oeQTYk5D#(F&6Yq$P_^pY$3?|Rp6)&KO*kW)i$4LPvU3NwD{J=PID zDGou;Ypc%|(|TV2PW{&Z#p}28*M27_XL{xB)W^4L8=a+}K1}2KavJ~V&GIKb zcXFB++N0lR`f4_g@_W+tS$~tS=$p4_{znAa7#Px-GS?`{xe&>4sxgI{zm>#cPuCaEFfPOzUy&IR0T|L#z z7~|sq@#et(c8_ac|CfS{IZ?ZxG*eIZ|5E=?_I)<4>LQ);zkdG9@9ulvlWb%?YDLd1 z^q;5u?n-&Ba@}8UrmFkV&$*xOs&Tm1^%Gq;^G^2Zbdu2PQuVx)^tjf{KG__lMcC_F zajvy}IvH`T)pc=7z22O+7FPTJv0PaoyOYei)U%iSMmN0eF5BQ}@8_${-ST=~Sx>ri zp|wIsUg-+G__P{7n=GDlU3=UUyXEWNr>PZm)K=frf#36}HT!d)#;P&z%p3i3s#301 zrtfU$v%T;A=?CLH`ty39Klajob7G^mo-L1CQ{Hd7^0fOT_vvbPC!L_)5K1;S9ZL6~ z@9vH2qU{$-f2MC&yU&uN4_@S3o$ngo=uV&bac`=V8qUW5T+g%RwdZOjoJxN2k&Kme zM)^{&JH7s%S5Gu1uN$vxjfxTSceS>>$q%?vyB2#_-=%7Kq^oDU^7B;Fg<51>%#V}x z(x<*3E-f8(uatbE=gp4w`shZVUX;VjX4J7{=A}kh$}>H&TZv~&&qBG^6}A_7Y+P7l z*ZX4$z9=vMZ&up*X-v*d*RGY*wf^{3*BYN|<@LBHZub6gs_Fc+N=DC~s+FSje6Mq* zzL!7Erc(chwfJcDy;gtlOfJ_}^X^17yU@s-=)bba_p7B}>HEuG7we}plb^*~9~Sj; zvty^67pu!cwYW85re}J3p}BpxnX^)^!`D4l4i~z5yRx>YK0n>}PxaZIX>G04V)5zC zo?WiiyVdz>cV3m-vF=@{RQAVwcX@C6{8M=!sZ2e7t9IQ^yRY@!v08Da+&-1xLM=H} z>WfouETVUf#9H^xe^tA)rFmL@8|8MgXYN-5eBf?>tChZ5?<Z=(!`+{A9U3FU8qv#!j2>$+xw3r97{c+fFT8FV$w(&sMAR(`&vOUg{p^z?DX5 zzL{aHNvG4bfdwJPFDme;viW4!n@79#%fo5}bD6I<)~d~uu8@w)m0@gdmWt)}v|2u^ zw5!$Ubg54E=}2|>Sjv@pZ*Ro*_sOZ&$FbJYdQbE0?)JX;c^fT&iu&bX3&dz@!9nJv93R=wk!?0%bM`~yVljMsb|?f=Aqn=e3d(7-dLTk zWpZ9E-OyI|>xUCP!Ajhyo>xEj;-ku@&8=|lov%Hoy7r)F*~Tl?=4EBEzh?93bl3hl z^XN=1d0vTp{J4-KeKkCIt{*G@Y-<0F4KAo-fjq;c;4c+j#J|=sP_LSZ+s}7!@7(DBxd(?Br;ayK& zZ46IUn}u?}*|#H=LEC+AHd<4V;}4a2yC*L6^qKnjaG&+^xt=wf*q`rf>xD+d*xZ-X2<HRjaCX3tu+U#;G|)qJNO zUhVF7rO;L9BY$5WpUUxKFa9#5mQ?=N z(B%8=hV!-G`hcXuJ8t*w^t6gj)Y7-r{%!9t4l`k`lvcVCder~x-FsjEKp5y|w)FKr zy_#kLo0k{#vA&q^E=%X}lm=Hz|8Gs#x9eT~@Va?>kZp6W-rA{7$Lm4drxSf%tK1ir z!aK%{zz{pvEI(Q>m9_ezIzPqbvPC z+q!sIN*48rTKcf|ot;WBcS!k-#-C+zxYY7rs1Mg`^NpTlF`Ki$06onbApE1>aO z_O$0&fWx1fZ;tSFj#t{d?$PtR(->YVpQXw^TPv2j_pI`9vrbnUtoKN{J?``Ia(-EU zV+^5MdvoJNJ+#wY&=zPKeBOH0ZY6#yhj%?~B`(ya*R=zB{HZ)HR{r19YTm!rW-Wk7 zKwQK=PBnsX!h7}VVB;ny{Ij$D>mkf z#`(ikt`%@JxpA`kxPNa^=JP%zTK_ z@oGX!EcVp-dSSJv=*V}q4{konJwNrwk^bu&lILwbd7;;l=JJc`p~RK)x-hkjrZQ`2 z?sJWbmY%4Myh=VQ3G=L#_pwy0C%yKpve-}%1bw+sIam6xmglSYLS?S?%xa~sP5D|) zN@fG^pU+b3?Xz8f)pPLI-Kn=8S4Sg!z1Oks9IchhedEhKuVoOm{W;B6#^3L%IOOrh z;aL5)Q?D%4!=Jv(<|7uc~M`Ij$a8G)zv&-WyMS?>=0X_ynm-0iO*)?PXj1hyu47=Qa{te9kMyWB(A5=%W7J5RSo~jN!o{xQc zT+VDpb75$q8>MAeUo980Kt2^YcA=6)g0^b|Pjsi8&eg-_=b7?igCDOK*UCqa-l!(@ z=zJxx5a_E1)$hpElSfOVo+5B>Y6&k$3pOipy%I^Vt^Qk6qWvG6ZLS|}Twazpp9edH zm-ut7q|4Xp-=jUjbK0&n$m>>jJ;_JpbBmbpF=0Qf8rT92Lo(cMbw^HbLh~co`5X!7sLx$n}^HsQGF>!377s@o}?D5lb?FIyYEZ)xDv#b5BCmnF`}Zy z*SovX|EJXzQu(R-A`qLEvs}+?l(&e+#Ztpo9@Q%R2o@4s5Lis*an^)5_Y6W>)u10q% z>3VrW_uxST(`D7%s77nm>|}S@db}r^@j-XCr<$FwM!U_=d)0ERimh^fUA>_!JS}ll z8suoEEW94Jf~yMO=-+3 z5k=8@*c9Cbr#ahwD;D<1PQqiPPp(u)GZI2#UO+e?Y5D?V^LgdNKVcU`_gQ^23Cm_C z5gwQFe&YmHg+oF!NQaGTdAl^MsH(1BekIkR!jmgJa zjCZzJeQ7-smv3wgFV>rjrMD9G;E}HI2+XgIuI$!#&}TAhr|aTs=Syw=z9?U^k8el1 z>Q9#1mF_<+hwbi}727?J3ID9Me5JH6D}A?FcC@ju=4tm!rC;l_naR^MJJpUogxB!8 zu{}Jk3_Mrs_(=a>m&1|T#D9FzcNpICH1Fx+g;G81-cHYJ%aGKIwPLMV&L$9LxL14Z zU--Ev*m6(0&fX!T)d(VKzK}mWC-&dz(k+zQ+`8NMqun1K-@zK|PEVOl7&NPu%~zva zd>40z*PgGRu9o9cJ#nwzH%_cj$iv6#cdNT(!cuMiQ2+5hR!SuWv~Q_2N9#|h6l{-7 zJD0o=hkMzT2lduK?nr7j^t*aa$;&;b2cMMBR&9pjx`Q3UlcFi^H-6%(@R&!{AL2_3 z-mCu)SC^O7PUHeo;&1Fut6V=+!%Owk z^`3w)!gIxz&QiRbCzxgkOH4XEtj0O08rwLR6Qktz zyfEd&?tNNqd8J4C&&GOEi{4caBem5yUF>}E-ruM;=IGPzdP-F6R8K&DuhdqyxYhf(8a=NRYeYogePvy! zrdA%#q?j2`;BhmA20vOZC#nNG>}Ahjr?CcL?rXiEm-MEQCWFt`HWme0Cf;?bksynn z_l*yGuTg(kpKVu<^VRrnDap01=IBO$$E(eS-p|)wyW#GY0#0US!BMx%#lDkw<#?;- zVG^|Zr)kuohnwA-ucV)=^RZe&%ks*^60g*{;2`_F69 znW;5OCsp+-b{3@ga7} z`s_v5d75Hvyg*S8y756Z7R|X-n^*>T=OO|up!NVfs%vLw{A^8k3F^ex$XS_?E{gra%C0j9MkoeJ!>ilz0LGSop?`q}g z{tRwCx(flqV6|2+)i-?Z^SytV zdKG?pxR&pfH#Up7*U|2st^K=|#Q>~0M zW&!`>`1IdeV-d4QuJ?(|5=D62a}aJ=@7VqKrgv7p6}wt(4_8ab*S?#($zG5oTFtsW)91@webDIKE4?0IC1akxuk~v^eWp*Rx_6@<pNc# zY-OG;zYa4FBg?vm4AAQ{{wzL%sP>7TWKmeXd^^4`Kl;fuPX|8mZ_Q%o!_pI?`cNkJ z!q6ml8zo2ybPdOscL8%_m*J6Is_n=6Mz&t*+N1jDb$u!>`>?dz_0rvXnH9S}&1!m1 z984sePiBO8fFud;mn^3T@G5zS;tpmb`xtwRzxSYdx7m{rM=0J_bLP(U&92S+)#77i z-=D^opUsb^|KJrk>2^yE&rlrhWzSka>@V7djvzbf+oisV-J5T>s@dzVXyyB!+o?_O zOLwgLJ*Y(5<4ARZInp=$dcAjcdJU`}zvN_3-tI2>d#4;db-4L!W!nYBBOm(}-j+^0 znbg4y6m`B_+S}E_41Li^(S`hXd;X8qK3J&UfU($XZ!Ny4j`$ltmm8brZ7I%H@`s+_ zrSP!H3d{@M&vyA>D2l6}FNGKcHaukMde7nWEY(V!YIe$}{;WjW{CVxWTCMJOMLgd4 zi76UCGFjR0OOF*!zOR+$dGE9gkKknaUhb)v{U;~H%FPsV5(=(XMule8Qj$pQ`d!zr zl`mUaj6uv6IwBf&t9-FWp7+P<;=93sA5`L*Qo!h5)>8Wu$UC#`d3lS@vWE0GrpKwC z5Ff>Sa6w5j499;Nb78fwst|K%>mF~7<#BRxifm`A*D%qZM2{v||6 zRD?ylQXc$WTE>25T%il4J>N6ty;!?w1#M5qi$IHVVnmS{7kY~Qe4_e89UfJG+6Om7 zEa-VxF#7mm^QFa};@g{Dcd7vf-dLd`18`xM4-3amCEon)t}a$S>+xZCMC*3?ey-0~ ztI?He4nH=YY?FsmJ|eARKWu?dmCi<^Q$>XqYa5^Zbl>@@^eO*J4x~PY3GWq(_Hk+> zYu(N+tr7*^sNQ%SH%cM02qRzYo;b(-+67x!s|C>F6QzZ(*%=|trSiefv+|xazQ=lE zvpg?Wd-Dv3=za5NyC)xZm#;3)>K@OKSGHL`IDPCEya2nKAOhs4{ZFLN^U8;Rk`iLh zW|8;`+mz2lFTfAiDv6f_=@}dp-ZRN^sXQ^z#^1gA1}^uu+Sz+xf62YZ$mtG{$(3qJ z{>~yRJZgR|iA!4YiMK2FR#))OF+h3xSZ?Qfk#%<1ye~&FK(Sm1A-*M>&TNHuoa#II zgVCuT7+qL_Fx&^t6=?nSo`8yrV~Tr0y!dt(n}c^7C0wlSS`3j;2VSwL6FJUqTB&7E ztNU*CH3sJ@&Hk^e^$GoZzEX|vy1ZwT%u-K0tuJ}!)<4e>X1h3zfOUthg~4&M z8o%xiG=m0UC10o}7psq%sXxSg%wQ72ITQR{`WZea3PfIiDyP++!BK@cn-g!U^~?VA zZN)ZWJ!GEV;Ys6KS;HsFmq%|sJt$A?kefZTUJ7$Uo$gj5bO<7X?T1B#$#cJ+g$X>Z zRFY@2YtMV?%+wDTtBJ@rZ0}BKU)CRRzdK#w@00)Z^w^{HviqC8U|Tfg^IC-ob-cQ= zdC7$3uHoB>CSdm1Wre{8{iZt}Rc8c8Y8QOVx*!FtO*QXm( z4(uVj)^^I#Xg{y^gBiy*cF+7a8{ag7&I-WFYh)9+#*kjm9Q^8&|y#;2vka>o8#EZwQ@kbqGB!{x|}gPO2} z`9kEza-Z2|^b(D0C0Pq_F$_)-WZZ4uzf#~On^T|D?2yXyJ^Qx%_Zky8i`613Ko5yc z%vTq_E<{kg=}D=KF~4548;kiyugmob&ju46&+c0Ji22y_pqKBJg4{K-KbIdQnr49w zu(Q~}JpE(UgH3m@w9d;q(mnf>p(AwgyLy<^epsqoeP_q<2#leA!0HtRxZNMjhAw#3 zih*jgmHAcTh-^bz0)y1vKWH?|Ud;M+PeADw$`e8ija%wjJ9A(kcIt>d;jdsBvR%oj zTjjb|3*L84U7#=#xK5Y~s4c(~m71m-79h?kEQK+e!Zv>+b| z^0v??9t-PYx02*blHfp`s%{uA!)u{utpd?^3QXWCSDx z_d?|AMpw*qxR_OrO+*WeUeopL+MRO7cz_Af7t7^#zFL#}P~kg$GLrg4Z$oe{RR%o( z@xi7w10ayb88*l^A}=pjG7SMku-ngkf(Mv4SF4dV3lHFzLNnny$4hNzj`;DFu0nlq z;LIqeb#0f14|Biou8=zR?5@<#TeZeY5LL2v$yITdfs?=Ny5|O$3`)+AzF8gv1G`=y z;MhaZ%_?>fSoTEwA&rh-McIbOhnQOhQq6SI`xhxpLE51gQD^1G0}Fra;KW$Ti`0gPeqMR zR6hu*9(de;d<{1Fh3X~++nXkX^}OyI{yUEV-vG;Yt=@lKnkzkdzkDHd5KNW_FT>or zKGlviwJ(pC56fX2kRp7Ix0Me2W6Qy4-_^%Z4|~K!I4(4YX)Q5#y~9s|Ou`aaNX}_6 zA81AVA$A`$%dQ&e(&PI3e&s-+*=+O`EQ>T@H^I@M#G)Kar5CF|+4C$4i0M{k`ixJG zeL=Q3f6rdS!S@+a4A#ngHQDJY=*{bCUCviF3wf(2$NmMeeqKEbk<=V0mIx@+z-TTu zU-=o2>L=}>`S}5&otW;tco?qFnl*E6hfF&`+9$RXqpqX37KMBc4U zqB*QBRu$yJ+`!@&(S?qPCEE3f;lpNU#VT7=5PR@)IgfoPykGb~P0H_rQj&`7U;1LX z^t>4Mza3FaT@%N`tioY_T^)}047R-;CpcNqffv<+6fh5umlLlJrn+0*j`#dxSFG9j zuD|OK%F1TFQttGf82|150j}06ngt>x#`mUou~VMBSqR~fYOrwONpLh;Kt194bQmuYf^%o8ImWA5!4G4R zJZMbTdXhE%sCQgzem|SfZe^B;nQv8*=0^8!_aIDojm{OAFO^v9xl)OW(^FQ_*yW8a zY>mIEUr7a)0AyXgSpR&@iKvRD%X5H($i4N`#ph=?JQRQDk*0kux&*P*)}h$-G{E(wK8~{tVjsfeE(T=&X?q! zVK?KWS*_w4=KD&y?^Y{1Uw$`AC%VN3#kOVhvtL;L;^xkA!+V2DvxzU)GdL*f@u=}p ze|#}xM{{BNsW)9kI^60Wyy8Zs!sWyZu`77fVy{n2u~t6#Q)cdBf4n`C*oeKW2E1B( z?#`F*;JCttAtOqphd%bnt_$nb`egUhH@t}R-BqV|m2kVy=8bWPi0_Kh_N6XXTR4n714K%O$}AGz=EZNbyX1AAgV+^q@RW)z>^6o<3HC zwTW%aXRxBq)cV!R#dlyaL!Gg~p;-`pc#f9i=|aIsQfLTtoc%2B4^1_H&2##LR8~GL zl?{n8c&TrL4`|oAzREO~>A4`=iE-QZjv2>!L zH@eEAbwUEp-Tmre?ZI2kw;QztgHdFg42E|=W7bPEyaD^MMM9VRds6-%tNW!!fZZx3 z{lss2Urz7J!47OzJXRAdg9g1(8nGG}(6#bnr|a>-0H7;Hf}i#TwzHFVM2GO};0|I0 z?7X}Ee>#m83C#=I=_z(8JwYd!AGb>fm%*Zfmhg|oOEAP%s}cMh63=&oWWhr9EgR)V zBSYqpoz}H}b!yR-{_fTbxT_)wG-%Rj4)m6rSaTgvIWX2=AuU z&LM}|n`3+mo;XjPjuA0|-P7>C+e-x#g+AC3DIx}$A*We4JYIe(uSARugBTzGR;fij z)Er+y?B!D<miuv;Zlec>Ul^D zS@p59cglyaBi~oGfOSchL+jXiq_mlZOLVpx83720eMn@>&!r@tS!Z-7rkD8o+5RAU zBo2FXtMs?K4xtdYxz%i7`OzjMkX>SS6@Bc5OmLVvvIMs zH2cfy$p5`t{f!Lk5@SQm#0+qXl4!g5@kaecj_`2JS8-CKFM3H+jaZT>HJ-B-!Ny_h z+L0l~{joIU%CTz8wqEVJ^#frsbD)&`mq(46)G$Dvu=C9@>&;#|RYY^QR$+KxQo=3Q zCn>=HGdrzk$jQTUG3GFGEN8l9?4#KK8R9ssgz?V5@Et;EkDeVFJmEbCJj@tQXl%?Z zwvXt~iE6}GSZQ9+2~Wz&9)nBe!P6YI;?eOlyRHs<_`Xw|fSz+16HbCsMAFEv5hFL|*pArP zJlw7BnV*nsXHUSAwPCx~TO({3hzv`B1;iiVxA7A6fVG9Q!1usfpd*$m0rz@k>T9t8 zI&!Raym3hKN_ntl?G$2-<0Zq7t#2rzI*a;lmLuF3J}qJ)CaZ_my0+UY<^9lhusgC3 z zts`;R!p>R5P(*garp1uV^380Mo z?j-Dy?uZRto9bZq3hwx;#>R;VybSD{#lGRN&zI-%sl~Jp@7?%rH5&BX*rjOChrP^V zu-Gs5y3-M`KT?Dr0j)k$&BW8hQQ^OEy_M3!Iac~Ere;5k5f(#Z6Jr3uA>pg`x8d7} zvhbSWgD8?`#m%Eg~Rdeae#b^v{?;Uh+>EQb?gv6z4LlRSVU0iYu+d86vtB>@%qq7FmOEMW+#h3GZI@s?2VmdH#6JcTGXRgs~azp z#(+rBLSzE%M~>4h@Ou$2%ww1V-#`>o>_z076cpnb_~X+`vs=fyCyD9BdtDLNGkzjZ z#-B%GjzQCDaJH^~W2IWNr>Aj-2+?@ZN%qxdDOh>@ADoNJUE$Y|sW5CQ@VK>)25`^r zBQZeh5(aRx5_!VxAbllDk1r%HGQ$9PXe(X&{DXIPJJ-P8BATE7jsHlmuQo>j3~ts&x8Dcz1OYUMBXS&KxKM1AbnfT}Jx3M^dl z?<2JzJ`I(9P;2=sSOMbg&WfNjovsFFGdA{`^4D+`E=+l0$&e=eBa&mKJ2?5Q|C`MP zD3yqueP3`n`UfTmOSj8PepqqhC{C$j#p0PL!%TYLlVV#Bk_AeCTwl;t^W|@xu+6PC zTp}``A3WdKIXjLAfH}J`&70NoU+5a&2D|uprSj6)!?>6BM!>sZ<{Mo(UoKXT6A47F zHcQQl6=NiMu`KP@amI!?fHP6)S=P#_>abQ>aN^baWv!8G@-&!O-L22_+x3{W0)40 z)c6|WLHuQsgD(fW=G*V~gwwrPNPa^AJ9E1{@bI8Nc#0UQ3-ytce~#AcV#aK@^>Sbl zv()Gfei>OoN?Gj?>i6Y?>FoRrFwR=UZrbA z1K0Y_A`tt&In~Vg@@mLPHU`!nhBZc&-ogRU-#BzUT|7!w3BUA1{SWbCbMp__EO@!J z#NeRw|6pz`YB6b1LteHWWe|4j8Wtr24>P4#*wof5pPqJsjynGe10BPFhFRi2L#ST^)RAXzZtF#cFRKp_30_X|$cPXu*@E64~Gfvrz1HxKm$9uN9~J zqrdEzVeP9m_AJZ^dc&i;P<~_H-l_KRLec|9Yrhv?2STx4YmElWYNcn4z?f(HNiXpV zAUQllYniMu58)BeGFUp)0}D?7!?PDl^K&`lhO^hm2>TKE`Bom*-1+J5a`mObp7k6Q z9o|LKm}6{>-Tuy2Gchk77A?kmG6St%JJ>`SAX*oC+I$ebWmD28EGB(#9%KLC>zg<< zI|D{8Dki%9ej3#~{f7iQbBGpU&B0PXRGM>Cm&yeP3_}d-=vBEx@*h+ungGunhH5P> z_D(98E%b%8jN9!Ksmcpw*OC0^YBR+6N_n#;Zca6)>tWRPL|8NCg!wuoskPg$SEHJ0dP(L(ZULd9YXQ zqi1vSUq~`7cIqv(^;6H#m0R^PWRc|~R%4$B&qgfEs?g(5+~xX@cPsj7ov|(1H1w$x z8||UOqj!(p1bwD&>|=%Gi)8UsouPTU7SOBEh|R8&9lRjO!q{VUv`^*~4j7aT%5I&({yfx&xU~cP(Z4(v40DV%PbN3^7?eHS7{|4g-U9<}bh--c~c#ow*>U zZ4~UFVSBK;oXl^XiSw{x&9HYp1vMZ6*mI-=*~!O+BjH0YR5O}iOy0Z{a}}q<3wU2y z@$`Tc;2lbHpqk zNI0qdb7RCZfhn11BJm=sv>#v4E*o498r)hC#m6SmZy&1@%S_ySyQl8ga?yKn6^JBj zhZhT7f?vSijy0leoAp|)tYdv+C(Mz8}N|YPH@K`=n`dS_}4RhOn#ol4q+qJptGA{Mo*V z+HUs*?R2J;q}hw=)Fw&1f*Q*%%D` zo;+KvUU$kBzk{W)*bKp8HZL%6L`p;@F=ttQBI9D5*aTu#tNn@OVK9$Y9$%5m<=k$(wAnJk-#@5D9<&nT>c%{Yzzrxt#liTxW zuO{r06noRt_8eny!-(VV|hNn|Gu2i*wGgUmY10v`9K zUa&9pYWJ`(%xsp0b%7PU@p)#v>M0RO9E34qWD9@rMpyMXGzvG?`gab{Zlh<9@pffe zk-L@gv>sWh#hurMm&EB!wSmfeX_TJc!Mo-X@YzA=|){Qs-`@kqdvYdoP z=7_M7_izdvGA+l+G*`%PJG!Cxn3Q-Xc=PHdhA;n}dK98+X2W9Ocp_J{7TX;M4PL@h zhsByBZ@La^p+B&aJVig4$B5;3MJCkmOKm-mLX%4xOkLFm&3S zU$amh#!lH|wU;M~_r)G@eiz+q#lzr-jRX66*mb=RBjoS#E}Wr2Ti-1mJ*@V#GrBOi zAcp*K-nJ8XNXQY5B3#z#z`lvoWyk( zW@8!o1vT>uGRvc9X`2B!j^xp1wf~xjbhY}k<6vHIN&&;MhDdmPaQknpLQ>JFSuGe; z5FuO}XBlpG9eRwn{H|WJpUJ5Mcz}1SCEkUedC@gG1k*-LlV8R2a|VGv5?zO}*`Y$S z@&w5PzZqwz61&T&ZdE$WUc~QcHMQr993dNVjIoN}G*2Lvcp3I5!kXE8Jv!vnWv_GGmVeOQ3x&bUA|+S0y1UtDvmVx`hl~K*5a$9@UBsBR zhfND(hU==W|Ds*AHS1I#&sQ=W*14y4T|jlLYFrVFp`CIh!TFYNdS+u9TQLHD77X%z zwPl~3sWx_xkx;lQEO=20$gCYH;$f_Neh=L#QqTK+R8EjCY(;h|wyeFFSg2+TFMwAK zwI(&JCQ397K0;+h0FscZ&~{M2Jtow4fSR{uyyW~8v7P9 z;x{qif24hbtTe)DXqt??Ge>8lUS1wO0gGOU%Q;*fMpAH!&Vk? zwr3U7ThtO#1i#>+klHX97$}>F%sg6taGe|FZ7;C1<>V~7FAl?^7^hM2^3RtqrZJ56 zaJgCI^st<;G*}gQdn;WP1$tgR=_|8A9FV`iQf*izw<;Sao)5#WHUD5*IADA*Sh_yO zM!`A5rZ;jgj3`6dl67$!g?af#rs4CKh;})I|*xIwL9YHV&}NRb~4!M$5MqdI@#rD z*Ky3n>YNfLf^oB4c<`d>&}P4`Aigz=lA8l82VT^*`i0d^vN->bP07m>rDyZltt?Vz z57gKb!Je}ll~oLPXEEVL42Hnq#?xo`v%Cm6gc%35#>0R{+^T&aYB{TEzIy0wvI*i~ zWUx!wapn}1g=YvQr(K{nW*AHAbhTpbirkFYKUTz((y$HfB*%D!#hfZN^iQPteb4h| zodw34!8I6`0W|w!fA&DqPdq_qQt|$ws@F?@p|sd?V%ARV!k^%UV)=_pT_|__K{JMK zWUU%IduBgY` zN>9_9SSG9GL4uM(*!}!G*1b~Lut%$_xD=ajqc)u^cUHNm`%djT(bdgAY}D*pw^Ivl$NPhH9IN%WE00y|%D@hImDT_bCTTP@Exm$8ic9~$ zoUD9t+2i%%h$JkQV!4)*fG~@?MSH3J9W6NW}=CY5)2--0T%^|Je;E+49 z;+gmM+w2hLNyGQp0k|*hJXRDfBbMmbO6bM)(qKj7S@=~bxTfcLs&E~)3uYQ*598}r z_h6vw%?1|NR_!w4H)|D~*?wR66YiDBH6H`YZ$Gcd)bn~nyora%+Q*er9?8p2=O^#< z$-XrwE;(^a{2Ll7hC?=66Ly1|b8u*5N^8SHX+cp=R*IP^1s(>8OV2O%Vo_pp;Wv!4 z8(=DYTl+R?4t|fdZT4O7ySO}jLbQPPU8o+v#20bu7v?Q=TKtZWCSt;;<0-wZHTKR~ zvrc;-8Ww5~+abH1KLM>00~Sq#^*B`<)=6iQnMcb<#2p{zQY|Js2Ci>r>0MIW$&}a= zunaR8GvQkA_;li7m>F0r&R=-lADh>X7*R;l$ExLZL${#{>(w9nZf7v5DBknFeC*5A zYPRP}pGiZJJLBuueBtXbR?#W`ptXbT24`NY?&b)q#<@CnxbSJ6-!I-u512L1sydh* zGT)3?=x@Z=pVt#OS>%Y-g`sq{7d{B7KG-2EU77u^)bJeaynj#%aaO+=v0dq`OQ(NW z1%0edW2?@(d5gBTf`g^c%G&BW*@y`y zJ|L!XwCC~noQnYc+9?e^b+Q_2t=8EQ`KG7f>DC3T0)rFs%D-`L2kcQBFIPSWDcsv` zN`471#z|%H+O4iQIn0^oqDOY|Id5sC;%VJ4C#deV(vlc#7#{oE>Z+dDyL5$ha!I+jyl_Cr(x44xccHnJR69MlgC(U%7#zcU&Ah-QR%;H(>NPjHV@XlR%0+& zi$-K)Di7Dvj-k`FMs#+ZQlciL68TNrja|h!EzXR@TNz#{jv!v`e7z-NZq|qmv0ugP zVNFnX(#Ux$d}Th9K7{p|t4I2d@5xURP2DO7+-UE2YQ>A*MPBS-gExJwJ|vD-U2BA| z)$@1Dk>-2Y9lNbqV)m;zzlP^`v^rp^;ggUwp1V;V_A}sMU9a`GdzxKL6Nz#AePj49 z)S2zW&T?h~RxZrm$wu%)vB-s@}sVFB1Ti(xgM zlvY&7&H?B!pAnOCqZ*Rzcy4w=*sBD4HwR!ncDi3H1$jruidu;G+^ROt_uRi>yQ5kr+K|&976McPtC%^*|29+TN84pTTL~w|ma1 z>+EoL)~%k_QvEDCyU`1m-~9R5l_AN+7U&fbMOu5Q@*rsV0vAhfM+rMw|H5aSYQ#ph zmdq$}O%zvdqI0ku7&26thevnvI(Ev{u0T;lZD1?V(w>2UvbtVRqde9&ydRE=!NXc! zXf(9Po&!(ec(O1?bOn-QuZ7bJ;HJ*i8#@MBJhTAY3L>}JolDb`m~75kBc0qe?>;oz z_}X?uJNutS{h&MZrDR3hiO=(+8-^7q(gJaZpz>Rwnz1D~?YI4G>MzFYp_@37D$VphYY&3}D#c(R!Y5 zMJhY_3G#%oz20}0-qGIq|K_;Uc&#k^6huk=IvhOA9XJf18j@_}A!%ZG@G;{F@!>rW zS;fM#5@wzUId69|yp@+c?4e<`lMk?yAQcdL7>80a7_J6n}K zLI=`<@F#ZL)lxbq1?$M?^F1TV41Hg#C2%Asoa50zuf-)vfulVGm*Bk~?HOkt+nLNG z#4E<`VWscX0#W!6rRFbgS6{q^x7A5~2Sc0{f2W>wE)+%|yMxDvt%6}DqG7#~4kW_p zd+`=^vmbN4yO47@9~;c>6*0}R@9X;X9iql-g1M}fH|{X4i_`P8c3~5G7DCOcdf%To zt@D?lHBhOga>cHK!ff`0crDrI9AnX7_VT;Nm2Jw0G(Y)VJC#N!I28nD1|?v%J*o%! z=AxY}1{}YEONmrjQ`)BQF{ns3u~hc{$I@b^o1;7BYG3BbuGud|Zd~qZ=Uv{I$|n~d z)pBjLLrP?f)p50_;k3M2+!7YyI0J^%gtoA?AZxgR5Ixo#KVi9+-zYr>&V2vPcKFrf z?rEb|^2M;L57&2i`gkn*mCuR)jOhS<_6wNgH;;jJ4kh7-Kn?w_h2A6i- z4sNqjS!{UHir$1FS`*L>WsB3YFpLL|3f;_i6kQR<=>%{=H+mT(r-j&z&2ArC&U`)i_NnJh6;v)OS zJa%2R^_(SrN#*5XG9%XTmqhyS;SM7mz1|ZHLJ}3SZJYKYBu!%9q zNiG;K{so*D>yuw>2N#@x?f;<~nP2vs`*kS@_qCqjuV3gHNRTN&rD0(}l5q}1-FYt%9hj1{;UJ$Y^$SM3=p!w_;$s!rsSd>=ckI|_H?ZMZB}R0< zC+(;aAz+(|FNhP0z2cFZN4tH8iruW2Af2==`|d@bMe0W6iH?Ttvn65o^Z*V5teQ1t zZzu*ZY=_;(OTyZ*_tp+0b4lciFUk7D@iCu8h9Lp=ZD3SgsSikv$CbU>6_$^9wRwx# zaI0Q2YBY^qVR}OUipeghWs9g>b~+Rb+#cDB$RL3})YaEq_{Xvk>hcvAS=T z!tYAKE#=N0GG8$qL|n8FlMvedqO`cm_@w3_W(%$3G&yz^dAC?C=c|v&DV9v7Pd%-ht6~qZ~1@zG&O+{i(1j!j%_i#otg`HLz=L9)IdfM`o20TI z1(Vv`dfR{OClVTJ46%0>2Y-hA;LVB)kWqYSeSyKIeNZhsQCYwnrSNODp2QV=*F78z zlH3?s)%XM~9kJfq{l`FXCLB4*sx{Kr8~eA_;&yr2<>D-SdXNt$54*)+GPD?^nVn|O zwy32wN%LtRJqf$jX8wwP5aqXDOS~7ZE+$5gn=5weiOJy}(^-R0_`X~)_I9hCc|_;n za^vl=vBkqqbQjtI$9Y;BZ5S+7@pQamzek6o%+6rxzDwE{=;WGk6Goa}D;0wIP~720204Y1No-*zBYv58+Yw?R10d+8t?DIzwfx z+Rz&;0}M#f!{yS567mnMefu=nkEcp&zoHWdU(~CjKrk(57trCumJkDlk&E!ZsU^@O z{={PSrh7hh#f%n3SgdvU!Fc?b*km#(tDRf@Uo8j7f&C_a;|^z(95uJ?9X;H0;<==T zQ4z<+XyQ{sp&=#EC6>jVzAMo=z~Ze-<;wCSL*RiMI@&%NJV{eO_%`w8a|0G=^!Kzx*^izQn<9 zS1XZHJVO?~o?~4ZXP7Id#<0Ahp(4a;Xpb(Y)AR0)s5}otyOt~USowS`6(fE=wed%Odz<}(`38|CQT9&dW!){*N|6HEh>a}D z!4|`^aDK_)y@-R@VJ5NzCopp40l((sGz+$--s4O1c37}x?ECsd3hW`#S0{yy@!*}a zzTy4L)A&1OpAQGoh2rkkQ*Woaa&uZ$Fb%Q`w}|vK@Ayf4Y_TBvb<~QEg+Gu8;z8o< zPRoN6kb1^~H}7m45(>i(3bxzz&3Z&kiJlmI2;5b1Z##j{H;=@%ox`v@_vtMil=5B{1?I&7urJP`txEW4JftO-t(GchA-Sz6^<os7eSr6B zx00EDx992dYt;|m8s34Aji|P zzIYYQ`J#N`MAqep@^%gSwou;m)ajmwFfLCkiKUNYcei|LPbc@^tW8+@v=%G)RrPUF zj(xdwITi*+BSb>1m^Xuq{h})@aEz`GDd6V%t)r93)&7T(n&F+J84kD3nkB%U7*HqIraVZQp9bvQj+{n20M z^@uECk?>x5CSn&XGafj30qwLC6K;lM!veoqOa1bgdSH05sBo|r8X0j;Je+}Y+YbxP zCBq?MtL4obG}oL(FHYfCX!%_<2qb0nIo}P^1gR2%yIOzh4OSX9l{gT6$CnbDQo5Kg zTaG`lTq?fB@MoZ8deGh(5i70VEDy1}ceR~8BvR%K%b&Xk3vni#DAsnR;HW;I`j1~_ zmb|Ln*Sc#?kj{K7^95VRX*Bfh>^gg$)lSZ^ZpYpLwygCn`ms??*r_Be&yWn+Egvz6 zBjsj2V@Z)u$|04UC5lxe?(KYMzv;pLhFdRo4~I{T>~J+dTp9OD!Ro{e;En4E77Tnt z{Fc?G{x7=152SCgsYw`GUPRgW!K~R5W|DaK(@G#g3&^RoncN(dP+Xx9q?u{#J(K!khO#9fMa=bss%eABF^V|R{bDvyle>i z9tRD>)-Q=*dOCN5jr_jP^HaN79HKU2ReYeO^0#Kl_1mRl8PWBkpYOX$|FC0}fM2xL zcX$|VQC!MyVtyz8m*$5ILdf)@nTM^t)ip61JMie}5mgjRJKlKUJ6dDw-4(CnFFK82 zsrxX%@e39-Ke>y0ZMOz5-{lSO>{+8*{2Ic|?upOYk4dU7_Q~n}`U?M#y~BSe ztHmeRdzQ_FWj2r>JL`DH*1DKC42qR?s}%5PdnJ$dG`WOpN?Ncxov$YHZRR@T6D}(f z2c@&iZMnMG3nzAq1^cFcbM}@IflI&x@#5^;8aNm~biMu@`?uKrtO0A|TD^onhJWZB zsqJ$2n^N?l9cOyism|BB=Y-pFGLUmy?CH0n#%>9?@;Ehu9)~zM8H%37Vqj^r)v<0x z+ZVc~ulQw7aL2^d2au}4JLkPZZ+V5ZGz3w!ACCwYBz6SrvR>#Sa@ahEx!$ceoM6Jj zSt(yT0mOH#I!~}{NHj5Czm}yY11rE#wDb2#Pl_l&tl=y4I^T)*fn-_Fcp;dokP9(Z z(&Bk-5Y=IO(yVZAY(eJ&;S11%>Sb51Ht{XtA2jsU-l1juL2(#9_WjaqR~8F}MS|}t zUVWvU_$W?9I#dv)AM?m=VTYENZfKIuU4Wp0c(BRC$qqwP`Hjb&)rrIf9ido^p$<4Lqcrz zv{PQZ)QN0()041R`I{j$!$x;L^qKESA}v=th{$d!@T;MetQO-yCOW5M;1f{&2YnVv zgrBo2SOsi$zBRdt`+BZ-{<+vR|BuFZl8=Zc`-89Qw|!X^^oCtRTYZ054~axNDM%Yw z-?zGEr^Tq}t;#g>VRK@N>W?c7X}6on?l|l`dgp!hTAiMw+aYH|s&CbctZnB-h#J!j zI7%2q18w*p8MGP^Z zBltzQEFbGfk_MV8zA|6Vuy()5pfAk~$Q{(0)x}QQtR_xP#E;{(Lf81JMnrqX8nE1O z=3uT?wsyJ3EArbs*GuD^AJ{*;nq7duqG!lGXp|EcpfuQ$PBQqUrY7 z@Uop|@}d`pl~_GFN+*a%LEP+1p~Z}bHN=8hsvh>j(@Ynt%UUV)Hy;3x3rE<>70+>^ z5PifiB!cXW{IL@Ud&z*laox-lhKd^-Gh4g@oc5h;8H9 zZI(tviH5}=b$&0e6tfWfp8qg>7<^$k_lIf&Lm#`IG3}jd`nXgy91YBy*)28s2IJA! z^dG(WwlWs`8~sR%vC?rA?39tu^`1Xgt*|ehbt0y=-P7y`XpDZt%DUJUr-IrK_`K`5 zcsHv7rj%7n*Wp3&#zv%lr@mV)S5h2H(TPZWJT{-WwtghtAlE0$hraPkAZ%aJEQlUm z&ZeM~?02|SO4a~&p3_xGND-Y&jU8Nu*MX5NR_S*+Hmj9b-{n%V4+mcv8s#^?Ae7g- zJ|YzGH<1ixd$MgH(PBR^k@d=Fwa_>CIV70a>SlLw5_rs{ zmU+Be?)HD^OR-3-KG?ZPxYdB62Q!5xv0}w&;8^M`TE|y*G9wm=Q^Ft$_CX!4Ej&A1 zb9={F2COEtRZIlW!mn~eRpBYlynzD3%(X@&X}8><6%bJoPM)Bc6>r~~hpp_Cmnefd z;nYVqzv#AT>(Q>!L2I>(*5t*S+pHo{Y7$oj(mnuowR22Fkj*i3X`$LJ*Q&vbc8V4Y z!ucL{tHKqG3+wAeIo+*RtL62iav(jBGaA;(v-T~BH`DiYA)kT_!OoU$y>$FEzC1oI ztHbUYb`TF-jE|k-*TZNJs~XdQrm?@!xu@dNqCb$}5rxCxz+*E57pLC09$?`joisV^ z_r5f=1se&|Lc|Z3z@AG{5i*c`!dZm~-7G!E0{_Aqb%)Jv3`M_g^?z`{c!{JCE0VoT z7qi0fVIV~0J*)6cZM!v%lv%>FXFKpI*`e5k_%G*b4R)J)yzR+HjSD+!?C*YG86t-? z0-srI2A3HhmOss#raf>pL?&Qg*gVb;gCk(L`fV^;)6BqSQghsMv3a^&bOMWJyL|cU zqUStOm=|A2G!4H%zBr!rIsDBE^#y_3(TSqJ%K@@&a}J8FF8Q| zlRA3O9(>Y_4K3zr)r<7f!p@$BRN@KH+^j2>W zF|VKHAX0}3x!5;y>`Xn1B>~OHkhxlm#_x_pY4G+)PpB1!>8y23RC*7G-D)5B z5kz>ujW}a~e7Sc1b+7U}olvyiYiN7^54`7EEfe9ywuRJOtL;|#SQq>yOt}}`5v_1a z4ljg7BHDPQEAV$Gpx|-A{-86?gTXFli?Q=CcgT2sZdJbSIntJ;Z2uqJ{B?KOhjt(; z1FisJW{=}3^Jzs-u?Jy^9~-UB>C=35vs=lm7XRKUcRVeKoLCWT$*x{IgT$K-w<^ZY zS#fj-yZ8hq%|hSoblmQF@gOB#Eg!KBwm4LsH7BBKr5vj)DA#s>a&{HAb+}Y7%LfAu z3rSl@YnBYI=4LP6E*>na0Aqth*{&uxdX7aa9YjeV!a77-MHz9eL@BTc^gMR`tL|@B z2HA#(Z_nP%KGCQvmChF-PiW5Py&yYRduFkeJPYUyOHU-vsXs>bZQn#IAYG)}^{%P) zu|9h@lboK2(~VCr4mzy8XSD*KlwZZ4df#WKmq2c<&y&4glry_bJ7+vP_85$v{YKjG z`!UfsOTnI6>>VfDnT~@iH(x$>g0Nxf(kGL&Fak8PUFuf%uzKyngt7U}5iIn_Q_t)_ znf^j4$tN)jw%6@iKIS3*HVXhcM3R`7gXi^oTIIA2Bu1RjuK`@0X0tP}u&u2i`-uIP z9;|er#ZJ)jd&XkOM%~|&#Eq|Y=fd zXqb2-JIOdh3hn2@I($=Z{B_8=U2^vBAFrnqX$M0?bcql4hsr~2<=wl z6sT?{FQZ*Qv)-~pc=o9I*U1{p<3?9B+Qtk=nIh{l%Kh zUlNSRZ6vT@7aBbbPjVeA=|fMOCwwccQzztErTkE5e_^W)ndnS6J{xP%ShDN<>JN-T z4~mRK4Sb!| zX%=f2roy{&;>(cPJQwo&S?Snw>U+Hw@D3OIbhS?qGVK-F&>CzLJgfPx+i~dZMEA}4 z8`XQZI&kS&=j^{v)q>VP+6-Y0Vi#dZLA1q2ShrWpUu>6D(M#m9Jj^roVn=8X)WE8A zLW&yN2er{PNGA!y%T_m>7*S2JGrOo3KDR^sK@51O(!}q~Tjz-BO z-qH7bMDd@sQdwQ{z0F6#I79;ZSS!&r0uns~6K4u2hEKDHHcMub{U^_i81O{}6iffKH`j$NaP=STm&F zLb`8&pgW;b)M zcGqm>J^qimf0+BnxxXY?4)<=4!S%UAm4B$-BNd!IK*O8Yo24TorTj~!{bM5`jWeI% zj1b~OwQINkeDp`X|D}GM<*QX9Eq=*MPVO8^R>S(YoAc6-r!hqiRZsrNp-N%(pPl>D z^qIUlH09y{>pt(5b+2!tfsg79EyF6nz1y7obL9O+4`edxf{T4jXn>UvVX`r%$V{Av26Pe;$5 z=&CrE9#zVrES)hn_&yJ&+S)zHemnFF<94VNeA+)X?tf~n9I7RU`o7dVU*V@di8QXx z{kN|FNI8e6T)v$lvvL;qm4n})oWp-DXYGsDvU4F{vzFhe|DVU(Y$Cai}`+f5p`N*CO*+JOA8kt^efZtUqU?dc9u8yz*Zk8Ids#Y&!cm9!+(l zht1U8&)?pEet%kyo6}r^2%B|g(uZkY;BlEba9h8+AaCQeX%A-E|&#K9l+B}nkq|%eh#BVkF zPObd5_YYdfqU}y>Fn`ST{j=iG=Q+L9b?m4^X&3W;^t33T@(-n3ur$P-_hi&Rr;lek z!7g-m$dG#9w&!U5NWRQw)t_2Tb^$|>4ldtX*uSQH-@oF9roqC+n#Nz6$z1vE*F$0y zM&9h3X#-dAvj1~+{x4m(3NU~^^qFm;ubetFdrm)^v(5&S3(Z5HnBRL+h)i~h&gg~x z(t-xFUX|%)3saAO-Sar#W2ArU(YTbnnDx}*U)}d#KK(D%(_fad zzvuqB{rcO?=pU`$Mss!a@%}b^Ir<~bUQhnZj`#k0eA$=UBmxJ|w<7na{IbUTQ~ti{ z4QCc#`|@Z9GVJ?p^y*x6*fXJTLFz zWLNLkkl*UhzoehooqQ!bLwF0D({nT&i$=gs!z2EwI>O`MO!@E+_S;6z4^*S!J)G+q{X4$#vd5$Mbcn`9zNA~>A zub;ZDxTCBw~0_d*z;)o*y>e%m&|kf``JUd)+ zuCMj&m#gDU-;KiXR`;(4^G#`cb7J)U{#mi~l~1=fI$zHUYt?-GP_N=n89gThsoCBP zn2pwKCJejW`o^Z6d9`2m!SU|$0R5%_kNu!I`s@2?R^OQvftZ@na{s6F(tdyQ`@IC| zQ6ikpS{Y-bf3)80-RmKJGg8lxF$fo#!h5nF_pdis_2R*6>G$7a3VpIS`^Kz0X#VKuS^Al@nvH}KW`3-^$s* z%ZYRUarz26`XllU`{3$l2{vpj^NVJmX$bO&9>Ioz>Kv>Qaoz1cgJY6fWTW05$k~^X zpbO;<&X}?xG z>-mGNt1sv1tmiLQ)|06`eLk2ycs=@sp3p{pwTBz()zPWYKb#s3bJGm%#I(i*Y>w@pev-&FUz5S8|!2B2iC{_9@vu+|6Y1ve?;|r zE5!K{ey>ZkpU%hC5D&BSWJGHAG}ONz+4&9_V+a6zm2To0Vix>uxjeJ-PEFR{-?r3#B98~oC zeex|9F<6AZ73*(52Ky~%@qe)@W*8^T>PNJ>IMMxS9gu-g{Snn1`qi}|xn76CZze5A z%;{BE#j!E!`T6^~ykE+$f#c6)?7{i}Q}X@(4E+1>6ZG$oNW(uS=LdHmQv}yQ6dC{d z>)6~ume-BxnZa9`#r0)&JlvVDF8_4{MIs{QN?XFuu1 zv6I3~+|QiBA=zV&*h_`|FqmqCHSzDYFMo{b@LTmIZpF$!Vck3Zie&k6)CQMl#-wmw zm|v7QNP7QkOVQy?{Rm6K=^k&U6^`$=$H5^lu=|FbaPG9dFTdWS|Go3*%#a^LKmHhk zWCyx^ctaLC7sejVhy9HxJzczBPaPDm-&@hY?6v&ay|`TaS%F{9=!4|)w>ggf+RN$7 zz2vj#{kN;=pxl2C{rV%(ls`^9%Ukv5m#zOb5(-oE+Z_IF@EowSendCU*jf7#=NTSz z@H+p!`3qx~{w+-D?};DLj5F`!%l&D;4q4it&&*HR+im&3aH6fxn)v^3?|gdWD1s=y z=SX~q2o8ISAdm}(AXz9tq(n&Ia71!Ib|Od|IYtTJp89RM=$@UP-CDc%kK?B(vSaVg zY-*~jt6sf&?J5DFh%sLgUqNcXF>=uYq=EbfNa&XPNhS(H08tiex1>CwKD17vJ$7oz>PYxD|?+kzN_yl z+s-i1JVEcrS1EB8t@-j3K7AcAvlCjG{H?Z9R2}#l6^UcVWVLmFfQ}eX#$Sw-~!T2JoKc5vt4)p45@kc-=n;Bksz@qerjYG2nd z_&pYOEepPb#|HztWucg|TX)rXcDL2Tb13vCHg;dGqisZR?~)o?#%* z&3~E9bbHZ}A{(K{RJx!kxw;(81BFFS1ZS>EMUk>Li`(*a%zzzM(X^?eRT})rQpA@UrR$_t? ze4o6DodUaJW3OxJKhs0??Ao&^sxx+?+nZr}2eP%xJuxd3U5>jww~du@m_TTV);SAN z9#6ruB2!+Sosc)OlAUow)r9}zX{{%9J7QZdo2c#P?3vgfBbWYQR-w+mZ#`MpYyH_g z)j6Kn2n6i4VF6U*ZF|KtiuZkQ&nEIq;z8WW)kA(T%TG_y?;9iWo@UD{hU<539(ZCp z!0s!d9Kip)@WGy$z38!E-PL(?>we2#cyHnL+;jRaAW&$^)_+>p-rUNOl@jkkLXOQV zuB*R-jdK}_+c*%RsIwhWVn?A#r9XUHEq$<)=J+b8GhZzDz#$!u$O*tPDlE`l6_eKSnbpUgvHeX+W|vxg1ClQ@fn--qovuaevs z%LH4D)3^93`Z1hk^3i?^Lcpt9>-g~3I?5E8t{>^|&jYPUUHbzgxmq%G7WD*-EXw z_3-Vb87eZ!z?11D`HUxMGppdHSQ$upCiB${)p~VoY^fQlP`n@dY~OkqOXqZEhD<}v zP(_AB=DCc;+-%0E;51+itGW1^p#nkh=soOL)m2llR7&kIW*lmUDy&qvJiD#?+s`CZ zaf~OPf(rrOerA7yyWs4^_3LVU#o-ju@_C$rp>Q9M*C2IM+4UjVHP?A+Pe5%Fq1smn zZprHCwr@LWhN_(FIY!*Bufa3Kxac4T5~hhM-=mmn@_5L1$Cd?fW@zhoba)E)t@R4# zGwAqSR_`x6A&NT7C{Hdna7|E5O-zk<&gG1-w~k97#@-JBv(&^?2K&{-lp`OSm?Bft z#8i8(%-NS@dBk^3Ooi$k7-|l4&Q95sOxnAzG4IDJrQ1!9sxUNt*B&a+X=18ywKXwC zCivK}Y}U2sd_(kbTX8?bsnNt#u0NoODX&Pzco1lH1`pE26#F*2hbE?myXCMh3zV>M z9W^mUEejsdUVWLlWlc=w7`rizQ|EZ(gPNGiWfQgCG%>ZltFDQuc23-zub<0MG%+<~ zwg!e;km>Obga_xa>E~7fX=17`!wKtW&<}c{nwWBJ(jLqNO-wQK;T-?mE|<%{O4hH5 zsp+gA@5|(4<7p;MOl9}93@)UJsc}A_iK*z_<7t~tOznfw@tf(dKU{FFr@1}L4A+_; z5`AwbrM{f`)yNoYwx4FCN)9b{$Mw}Oq=y@Q&*`-~)n{5>!#CsRN)H!|!u9ab;@Vf2 zFN17I4;N*=-qS_W!`)3EJA-e`ZGIBn!JOu>^l<6Gm5gMZ#pBzVzLMA-`-=OS`d{ph zOcgIZ+-amq><&jau|uZIA$Et`%XgIV9H!VEo8abnU1k>+yCc_K5W8cFLzK%V#P0B# zKXT`FSu}l`+yspDaHWUaj$xbQe7(6dnY>4OxZ6OO#O{DEok3UoV%uVOY?7s7t#<4h zGP|XR>xf$>YslndVs~6$?K*=CiQO^Ag~jf;ZR`$oJ&sJv<6TFNM}18(J*4BYjoepE z4>3K6wVW7xY0R>k!%*_5f-}cCHz@1q$Jo?A&4EmvykExr)^yu$>VtQO!Zznp4{q381_$aALKpyN@q zGF*q_>u#zZt!s<*((i1`sdKyNF9der zDts|N#QYHRgHubdp9|4_&-5t7{1Ee_x7MDRA2(mSxoo1&^>l(uPTOA04>3QU&CtZ= zTvq3qxY9mV(!~sA>_@Y&X5UV**Y?Yv7V{&N%Cl+{J<)EgpUJAk{OI2s7V{&x-s@^3 zF+ciyUnU=u#)mXMGWth7cO+?i(0z=^c>9??{L(@Gqm z(0`jfO1F@HJvtwkc7^*Ef4z#9{)Zz_Vu9?lMi&c2ERcw1Xz9Ru_+!CZ5B7scb?JY+ zvFQEhAg+rA^47fN?d)u^w?`C<>S7)4LgdNd1Y&`R1#RN2 zT)AvQED#X&shPm>v?Tqp97dv(UamWffsJz+irZNFADen`ChyTnFWW%7#RAE4Z~9`} z*gcbXN&iFoA8?xcdtW9W6AMHv5V1gFB6_#|P)D(DHw(noK)%_M8c59si92Dn8tXo> z*!gPF)jgd(w$Jf}{axPi>HPBd-QsipzQ7Mpu6Q`Fthxd-M=R*%qI10bZu&FM#CWj4 z+fVIEpI^PFetN;};f#pytnVIr*8I!sI=(x$`@En1b%kLLfA@URn|^PvIJ58EKZdV3 z`v0?(-}-mXD=MFXT@}5HT;|RHkIp!Ax99fVzxIh=+Sl{h2m7?%Wti%y^Ikr)TQC0C z+`pWmaro%0v_bY01;>boSRsxOO~;|#^vpAeh_perQL~E`vKtT2OvlWvGGj+vuO~6J zKmKF8BmBG}^6k6!aF@I*>Ju4UM5n^&RG35U@QQm9}G=xcNurvzaMw5h^iS}NT8dV5PkX2X7^_Q0mfs0%>V!Z diff --git a/IIS8Audit/Settings.psd1 b/IIS8Audit/Settings.psd1 deleted file mode 100644 index d1d88640..00000000 --- a/IIS8Audit/Settings.psd1 +++ /dev/null @@ -1,46 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -<# - - Author(s): Dennis Esly, Benedikt Böhme - Date: 07/20/2018 - Version: 1.0 - Last Change: 08/20/2018 -#> - -@{ - Settings = @{ - LogFilePath = "C:\Logs\" - LogFileName = "IIS8Audit.log" - } -} \ No newline at end of file diff --git a/MicrosoftIE11Audit/MS_IE_11_DISA_STIG_V1R16.psd1 b/MicrosoftIE11Audit/MS_IE_11_DISA_STIG_V1R16.psd1 deleted file mode 100644 index 15aef38b..00000000 --- a/MicrosoftIE11Audit/MS_IE_11_DISA_STIG_V1R16.psd1 +++ /dev/null @@ -1,974 +0,0 @@ -# Requirements MS Internet Explorer 11 DISA STIG V1R16 - -@{ - RegistrySettings = @( - @{ - Id = "DTBI014-IE11" - Task = "Turn off Encryption Support must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "SecureProtocols" - Value = 2560 - } - @{ - Id = "DTBI015-IE11" - Task = "The Internet Explorer warning about certificate address mismatch must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "WarnOnBadCertRecving" - Value = 1 - } - @{ - Id = "DTBI018-IE11" - Task = "Check for publishers certificate revocation must be enforced." - Path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" - Name = "State" - Value = 146432 - } - @{ - Id = "DTBI022-IE11" - Task = "The Download signed ActiveX controls property must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1001" - Value = 3 - } - @{ - Id = "DTBI023-IE11" - Task = "The Download unsigned ActiveX controls property must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1004" - Value = 3 - } - @{ - Id = "DTBI024-IE11" - Task = "The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1201" - Value = 3 - } - @{ - Id = "DTBI030-IE11" - Task = "Font downloads must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1604" - Value = 3 - } - @{ - Id = "DTBI031-IE11" - Task = "The Java permissions must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI032-IE11" - Task = "Accessing data sources across domains must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1406" - Value = 3 - } - @{ - Id = "DTBI036-IE11" - Task = "Functionality to drag and drop or copy and paste files must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1802" - Value = 3 - } - @{ - Id = "DTBI038-IE11" - Task = "Launching programs and files in IFRAME must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1804" - Value = 3 - } - @{ - Id = "DTBI039-IE11" - Task = "Navigating windows and frames across different domains must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1607" - Value = 3 - } - @{ - Id = "DTBI042-IE11" - Task = "Userdata persistence must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1606" - Value = 3 - } - @{ - Id = "DTBI044-IE11" - Task = "Clipboard operations via script must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1407" - Value = 3 - } - @{ - Id = "DTBI046-IE11" - Task = "Logon options must be configured to prompt (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1A00" - Value = 65536 - } - @{ - Id = "DTBI061-IE11" - Task = "Java permissions must be configured with High Safety (Intranet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" - Name = "1C00" - Value = 65536 - } - @{ - Id = "DTBI091-IE11" - Task = "Java permissions must be configured with High Safety (Trusted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" - Name = "1C00" - Value = 65536 - } - @{ - Id = "DTBI1000-IE11" - Task = "Dragging of content from different domains within a window must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2708" - Value = 3 - } - @{ - Id = "DTBI1005-IE11" - Task = "Dragging of content from different domains across windows must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2709" - Value = 3 - } - @{ - Id = "DTBI1010-IE11" - Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI1020-IE11" - Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI1025-IE11" - Task = "Dragging of content from different domains within a window must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2708" - Value = 3 - } - @{ - Id = "DTBI112-IE11" - Task = "The Download signed ActiveX controls property must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1001" - Value = 3 - } - @{ - Id = "DTBI113-IE11" - Task = "The Download unsigned ActiveX controls property must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1004" - Value = 3 - } - @{ - Id = "DTBI114-IE11" - Task = "The Initialize and script ActiveX controls not marked as safe property must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1201" - Value = 3 - } - @{ - Id = "DTBI115-IE11" - Task = "ActiveX controls and plug-ins must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1200" - Value = 3 - } - @{ - Id = "DTBI116-IE11" - Task = "ActiveX controls marked safe for scripting must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1405" - Value = 3 - } - @{ - Id = "DTBI119-IE11" - Task = "File downloads must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1803" - Value = 3 - } - @{ - Id = "DTBI120-IE11" - Task = "Font downloads must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1604" - Value = 3 - } - @{ - Id = "DTBI121-IE11" - Task = "Java permissions must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI122-IE11" - Task = "Accessing data sources across domains must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1406" - Value = 3 - } - @{ - Id = "DTBI123-IE11" - Task = "The Allow META REFRESH property must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1608" - Value = 3 - } - @{ - Id = "DTBI126-IE11" - Task = "Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1802" - Value = 3 - } - @{ - Id = "DTBI128-IE11" - Task = "Launching programs and files in IFRAME must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1804" - Value = 3 - } - @{ - Id = "DTBI129-IE11" - Task = "Navigating windows and frames across different domains must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1607" - Value = 3 - } - @{ - Id = "DTBI132-IE11" - Task = "Userdata persistence must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1606" - Value = 3 - } - @{ - Id = "DTBI133-IE11" - Task = "Active scripting must be disallowed (Restricted Sites Zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1400" - Value = 3 - } - @{ - Id = "DTBI134-IE11" - Task = "Clipboard operations via script must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1407" - Value = 3 - } - @{ - Id = "DTBI136-IE11" - Task = "Logon options must be configured and enforced (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1A00" - Value = 196608 - } - @{ - Id = "DTBI300-IE11" - Task = "Configuring History setting must be set to 40 days." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" - Name = "DaysToKeep" - Value = 40 - } - @{ - Id = "DTBI318-IE11" - Task = "Internet Explorer must be set to disallow users to add/delete sites." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "Security_zones_map_edit" - Value = 1 - } - @{ - Id = "DTBI319-IE11" - Task = "Internet Explorer must be configured to disallow users to change policies." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "Security_options_edit" - Value = 1 - } - @{ - Id = "DTBI320-IE11" - Task = "Internet Explorer must be configured to use machine settings." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "Security_HKLM_only" - Value = 1 - } - @{ - Id = "DTBI325-IE11" - Task = "Security checking features must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Security" - Name = "DisableSecuritySettingsCheck" - Value = 0 - } - @{ - Id = "DTBI350-IE11" - Task = "Software must be disallowed to run or install with invalid signatures." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Download" - Name = "RunInvalidSignatures" - Value = 0 - } - @{ - Id = "DTBI365-IE11" - Task = "Checking for server certificate revocation must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "CertificateRevocation" - Value = 1 - } - @{ - Id = "DTBI370-IE11" - Task = "Checking for signatures on downloaded programs must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Download" - Name = "CheckExeSignatures" - Value = "yes" - } - @{ - Id = "DTBI375-IE11" - Task = "All network paths (UNCs) for Intranet sites must be disallowed." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" - Name = "UNCAsIntranet" - Value = 0 - } - @{ - Id = "DTBI385-IE11" - Task = "Script-initiated windows without size or position constraints must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2102" - Value = 3 - } - @{ - Id = "DTBI390-IE11" - Task = "Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2102" - Value = 3 - } - @{ - Id = "DTBI395-IE11" - Task = "Scriptlets must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1209" - Value = 3 - } - @{ - Id = "DTBI415-IE11" - Task = "Automatic prompting for file downloads must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2200" - Value = 3 - } - @{ - Id = "DTBI425-IE11" - Task = "Java permissions must be disallowed (Local Machine zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI430-IE11" - Task = "Java permissions must be disallowed (Locked Down Local Machine zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI435-IE11" - Task = "Java permissions must be disallowed (Locked Down Intranet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI440-IE11" - Task = "Java permissions must be disallowed (Locked Down Trusted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI450-IE11" - Task = "Java permissions must be disallowed (Locked Down Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" - Name = "1C00" - Value = 0 - } - @{ - Id = "DTBI455-IE11" - Task = "XAML files must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2402" - Value = 3 - } - @{ - Id = "DTBI460-IE11" - Task = "XAML files must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2402" - Value = 3 - } - @{ - Id = "DTBI485-IE11" - Task = "Protected Mode must be enforced (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2500" - Value = 0 - } - @{ - Id = "DTBI490-IE11" - Task = "Protected Mode must be enforced (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2500" - Value = 0 - } - @{ - Id = "DTBI495-IE11" - Task = "Pop-up Blocker must be enforced (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1809" - Value = 0 - } - @{ - Id = "DTBI500-IE11" - Task = "Pop-up Blocker must be enforced (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1809" - Value = 0 - } - @{ - Id = "DTBI515-IE11" - Task = "Websites in less privileged web content zones must be prevented from navigating into the Internet zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2101" - Value = 3 - } - @{ - Id = "DTBI520-IE11" - Task = "Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2101" - Value = 3 - } - @{ - Id = "DTBI575-IE11" - Task = "Allow binary and script behaviors must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2000" - Value = 3 - } - @{ - Id = "DTBI580-IE11" - Task = "Automatic prompting for file downloads must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2200" - Value = 3 - } - @{ - Id = "DTBI590-IE11" - Task = "Internet Explorer Processes for MIME handling must be enforced. (Reserved)" - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI592-IE11" - Task = "Internet Explorer Processes for MIME handling must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI594-IE11" - Task = "Internet Explorer Processes for MIME handling must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI595-IE11" - Task = "Internet Explorer Processes for MIME sniffing must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI596-IE11" - Task = "Internet Explorer Processes for MIME sniffing must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI597-IE11" - Task = "Internet Explorer Processes for MIME sniffing must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI599-IE11" - Task = "Internet Explorer Processes for MK protocol must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI600-IE11" - Task = "Internet Explorer Processes for MK protocol must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI605-IE11" - Task = "Internet Explorer Processes for MK protocol must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI610-IE11" - Task = "Internet Explorer Processes for Zone Elevation must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI612-IE11" - Task = "Internet Explorer Processes for Zone Elevation must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI614-IE11" - Task = "Internet Explorer Processes for Zone Elevation must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI630-IE11" - Task = "Internet Explorer Processes for Restrict File Download must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI635-IE11" - Task = "Internet Explorer Processes for Restrict File Download must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI640-IE11" - Task = "Internet Explorer Processes for Restrict File Download must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI645-IE11" - Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI647-IE11" - Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI649-IE11" - Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI650-IE11" - Task = ".NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2004" - Value = 3 - } - @{ - Id = "DTBI655-IE11" - Task = ".NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2001" - Value = 3 - } - @{ - Id = "DTBI670-IE11" - Task = "Scripting of Java applets must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1402" - Value = 3 - } - @{ - Id = "DTBI690-IE11" - Task = "AutoComplete feature for forms must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Internet Explorer\Main" - Name = "Use FormSuggest" - Value = "no" - } - @{ - Id = "DTBI715-IE11" - Task = "Crash Detection management must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Restrictions" - Name = "NoCrashDetection" - Value = 1 - } - @{ - Id = "DTBI725-IE11" - Task = "Turn on the auto-complete feature for user names and passwords on forms must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Internet Explorer\Main" - Name = "FormSuggest PW Ask" - Value = "no" - } - @{ - Id = "DTBI740-IE11" - Task = "Managing SmartScreen Filter use must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" - Name = "EnabledV9" - Value = 1 - } - @{ - Id = "DTBI760-IE11" - Task = "Browser must retain history on exit." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Privacy" - Name = "ClearBrowsingHistoryOnExit" - Value = 0 - } - @{ - Id = "DTBI770-IE11" - Task = "Deleting websites that the user has visited must be disallowed." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Privacy" - Name = "CleanHistory" - Value = 0 - } - @{ - Id = "DTBI780-IE11" - Task = "InPrivate Browsing must be disallowed." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Privacy" - Name = "EnableInPrivateBrowsing" - Value = 0 - } - @{ - Id = "DTBI800-IE11" - Task = "Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1206" - Value = 3 - } - @{ - Id = "DTBI810-IE11" - Task = "When uploading files to a server, the local directory path must be excluded (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "160A" - Value = 3 - } - @{ - Id = "DTBI815-IE11" - Task = "Internet Explorer Processes for Notification Bars must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI820-IE11" - Task = "Security Warning for unsafe files must be set to prompt (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1806" - Value = 1 - } - @{ - Id = "DTBI825-IE11" - Task = "Internet Explorer Processes for Notification Bars must be enforced (Explorer)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" - Name = "explorer.exe" - Value = "1" - } - @{ - Id = "DTBI830-IE11" - Task = "ActiveX controls without prompt property must be used in approved domains only (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "120b" - Value = 3 - } - @{ - Id = "DTBI835-IE11" - Task = "Internet Explorer Processes for Notification Bars must be enforced (iexplore)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" - Name = "iexplore.exe" - Value = "1" - } - @{ - Id = "DTBI840-IE11" - Task = "Cross-Site Scripting Filter must be enforced (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "1409" - Value = 0 - } - @{ - Id = "DTBI850-IE11" - Task = "Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1206" - Value = 3 - } - @{ - Id = "DTBI860-IE11" - Task = "When uploading files to a server, the local directory path must be excluded (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "160A" - Value = 3 - } - @{ - Id = "DTBI870-IE11" - Task = "Security Warning for unsafe files must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1806" - Value = 3 - } - @{ - Id = "DTBI880-IE11" - Task = "ActiveX controls without prompt property must be used in approved domains only (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "120b" - Value = 3 - } - @{ - Id = "DTBI890-IE11" - Task = "Cross-Site Scripting Filter property must be enforced (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1409" - Value = 0 - } - @{ - Id = "DTBI900-IE11" - Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (Reserved)." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "(Reserved)" - Value = "1" - } - @{ - Id = "DTBI910-IE11" - Task = "Status bar updates via script must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2103" - Value = 3 - } - @{ - Id = "DTBI920-IE11" - Task = ".NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2004" - Value = 3 - } - @{ - Id = "DTBI930-IE11" - Task = ".NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2001" - Value = 3 - } - @{ - Id = "DTBI940-IE11" - Task = "Scriptlets must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "1209" - Value = 3 - } - @{ - Id = "DTBI950-IE11" - Task = "Status bar updates via script must be disallowed (Restricted Sites zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2103" - Value = 3 - } - @{ - Id = "DTBI985-IE11" - Task = "When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main" - Name = "DisableEPMCompat" - Value = 1 - } - @{ - Id = "DTBI990-IE11" - Task = "Dragging of content from different domains across windows must be disallowed (Internet zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2709" - Value = 3 - } - @{ - Id = "DTBI995-IE11" - Task = "Enhanced Protected Mode functionality must be enforced." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main" - Name = "Isolation" - Value = "PMEM" - } - @{ - Id = "DTBI356-IE11" - Task = "The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Main" - Name = "Isolation64Bit" - Value = 1 - } - @{ - Id = "DTBI1046-IE11" - Task = "Anti-Malware programs against ActiveX controls must be run for the Internet zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "270C" - Value = 0 - } - @{ - Id = "DTBI062-IE11" - Task = "Anti-Malware programs against ActiveX controls must be run for the Intranet zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" - Name = "270C" - Value = 0 - } - @{ - Id = "DTBI426-IE11" - Task = "Anti-Malware programs against ActiveX controls must be run for the Local Machine zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" - Name = "270C" - Value = 0 - } - @{ - Id = "DTBI1051-IE11" - Task = "Anti-Malware programs against ActiveX controls must be run for the Restricted Sites zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "270C" - Value = 0 - } - @{ - Id = "DTBI092-IE11" - Task = "Anti-Malware programs against ActiveX controls must be run for the Trusted Sites zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" - Name = "270C" - Value = 0 - } - @{ - Id = "DTBI1060-IE11" - Task = "Prevent bypassing SmartScreen Filter warnings must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" - Name = "PreventOverride" - Value = 1 - } - @{ - Id = "DTBI1065-IE11" - Task = "Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" - Name = "PreventOverrideAppRepUnknown" - Value = 1 - } - @{ - Id = "DTBI1070-IE11" - Task = "Prevent per-user installation of ActiveX controls must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" - Name = "BlockNonAdminActiveXInstall" - Value = 1 - } - @{ - Id = "DTBI1075-IE11" - Task = "Prevent ignoring certificate errors option must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "PreventIgnoreCertErrors" - Value = 1 - } - @{ - Id = "DTBI1080-IE11" - Task = "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "2301" - Value = 0 - } - @{ - Id = "DTBI1085-IE11" - Task = "Turn on SmartScreen Filter scan option for the Restricted Sites Zone must be enabled." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "2301" - Value = 0 - } - @{ - Id = "DTBI1090-IE11" - Task = "The Initialize and script ActiveX controls not marked as safe must be disallowed (Intranet Zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" - Name = "1201" - Value = 3 - } - @{ - Id = "DTBI1095-IE11" - Task = "The Initialize and script ActiveX controls not marked as safe must be disallowed (Trusted Sites Zone)." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" - Name = "1201" - Value = 3 - } - @{ - Id = "DTBI1100-IE11" - Task = "Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" - Name = "EnableSSL3Fallback" - Value = 0 - } - @{ - Id = "DTBI1105-IE11" - Task = "Run once selection for running outdated ActiveX controls must be disabled." - Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" - Name = "RunThisTimeEnabled" - Value = 0 - } - @{ - Id = "DTBI1110-IE11" - Task = "Enabling outdated ActiveX controls for Internet Explorer must be blocked." - Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" - Name = "VersionCheckEnabled" - Value = 1 - } - @{ - Id = "DTBI1115-IE11" - Task = "Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "120c" - Value = 3 - } - @{ - Id = "DTBI1120-IE11" - Task = "Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone." - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "120c" - Value = 3 - } - #This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. - @{ - Id = "DTBI1125-IE11" - Task = "VBScript must not be allowed to run in Internet Explorer (Internet zone).(This policy setting will only exist on Windows 10 Redstone 2 or later)" - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" - Name = "140C" - Value = 3 - } - #This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. - @{ - Id = "DTBI1130-IE11" - Task = "VBScript must not be allowed to run in Internet Explorer (Restricted Sites zone).(This policy setting will only exist on Windows 10 Redstone 2 or later)" - Path = "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" - Name = "140C" - Value = 3 - } - ) -} diff --git a/MicrosoftIE11Audit/MicrosoftIE11Audit.psd1 b/MicrosoftIE11Audit/MicrosoftIE11Audit.psd1 deleted file mode 100644 index 616b3644..00000000 --- a/MicrosoftIE11Audit/MicrosoftIE11Audit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'MicrosoftIE11Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = 'f3672471-6d9f-4ba9-b034-78e0c2670ba5' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Microsoft Internet Explorer 11 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'Internet Explorer', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/MicrosoftIE11Audit/MicrosoftIE11Audit.psm1 b/MicrosoftIE11Audit/MicrosoftIE11Audit.psm1 deleted file mode 100644 index 8bb85f89..00000000 --- a/MicrosoftIE11Audit/MicrosoftIE11Audit.psm1 +++ /dev/null @@ -1,428 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "MS_IE_11_DISA_STIG_V1R16.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject - ) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} - -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-MsIE11HtmlReport` cmdlet tests Microsoft Internet Explorer 11 settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-MsIE11HtmlReport -Path "reports/report1.html" -#> -function Get-HtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Microsoft Internet Explorer 11 Audit Report" ` - -ModuleName "IE11Audit" ` - -BasedOn "DISA Microsoft Internet Explorer Security Technical Implementation Guide V1R16 2018-07-27" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-MsIE11HtmlReport -Value Get-HtmlReport -#endregion \ No newline at end of file diff --git a/MicrosoftIE11Audit/README.md b/MicrosoftIE11Audit/README.md deleted file mode 100644 index afd828f4..00000000 --- a/MicrosoftIE11Audit/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Internet Explorer 11 Audit - -based on -* _Internet Explorer 11 Security Technical Implementation Guide V1R16 2018-07-27_ - -## Overview - -The `IE11Audit`-Module benchmarks the current systems settings with current hardening standards of the DISA Security Technical Implementation Guide. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Internet Explorer 11** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](https://github.com/fbprogmbh/Audit-Test-Automation/tree/master/ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the IE11Audit module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\IE11Audit -Verbose -``` -3. Generate a report with `Get-MsIE11HtmlReport` For example: -```PowerShell -Get-MsIE11HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. - -## Remarks - -Rule DTBI1125-IE11 and DTBI1130-IE11 only exist on Windows 10 Redstone 2 or later and will therefore fail on other systems. \ No newline at end of file diff --git a/MicrosoftIE11Audit/Sample/report.dark.html b/MicrosoftIE11Audit/Sample/report.dark.html deleted file mode 100644 index 82153c43..00000000 --- a/MicrosoftIE11Audit/Sample/report.dark.html +++ /dev/null @@ -1 +0,0 @@ -Microsoft Internet Explorer 11 Audit Report [03/22/2019 16:25:11]
FB-Pro GmbH

Microsoft Internet Explorer 11 Audit Report

Generated by the IE11Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Internet Explorer Security Technical Implementation Guide V1R16 2018-07-27.

This report was generated at 03/22/2019 16:25:11 on WinSrv16-DC.corp.fbpro.

HostnameWinSrv16-DC.corp.fbpro
Build Number14393
Free disk space(GB) 60.9
Operating SystemMicrosoft Windows Server 2016 Standard
Free physical memory (GB)0.498

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTBI014-IE11 Turn off Encryption Support must be enabled. Compliant True
DTBI015-IE11 The Internet Explorer warning about certificate address mismatch must be enforced. Compliant True
DTBI018-IE11 Check for publishers certificate revocation must be enforced. Compliant True
DTBI022-IE11 The Download signed ActiveX controls property must be disallowed (Internet zone). Compliant True
DTBI023-IE11 The Download unsigned ActiveX controls property must be disallowed (Internet zone). Compliant True
DTBI024-IE11 The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone). Compliant True
DTBI030-IE11 Font downloads must be disallowed (Internet zone). Compliant True
DTBI031-IE11 The Java permissions must be disallowed (Internet zone). Compliant True
DTBI032-IE11 Accessing data sources across domains must be disallowed (Internet zone). Compliant True
DTBI036-IE11 Functionality to drag and drop or copy and paste files must be disallowed (Internet zone). Compliant True
DTBI038-IE11 Launching programs and files in IFRAME must be disallowed (Internet zone). Compliant True
DTBI039-IE11 Navigating windows and frames across different domains must be disallowed (Internet zone). Compliant True
DTBI042-IE11 Userdata persistence must be disallowed (Internet zone). Compliant True
DTBI044-IE11 Clipboard operations via script must be disallowed (Internet zone). Compliant True
DTBI046-IE11 Logon options must be configured to prompt (Internet zone). Compliant True
DTBI061-IE11 Java permissions must be configured with High Safety (Intranet zone). Compliant True
DTBI062-IE11 Anti-Malware programs against ActiveX controls must be run for the Intranet zone. Compliant True
DTBI091-IE11 Java permissions must be configured with High Safety (Trusted Sites zone). Compliant True
DTBI092-IE11 Anti-Malware programs against ActiveX controls must be run for the Trusted Sites zone. Compliant True
DTBI1000-IE11 Dragging of content from different domains within a window must be disallowed (Internet zone). Compliant True
DTBI1005-IE11 Dragging of content from different domains across windows must be disallowed (Restricted Sites zone). Compliant True
DTBI1010-IE11 Internet Explorer Processes Restrict ActiveX Install must be enforced (Explorer). Compliant True
DTBI1020-IE11 Internet Explorer Processes Restrict ActiveX Install must be enforced (iexplore). Compliant True
DTBI1025-IE11 Dragging of content from different domains within a window must be disallowed (Restricted Sites zone). Compliant True
DTBI1046-IE11 Anti-Malware programs against ActiveX controls must be run for the Internet zone. Compliant True
DTBI1051-IE11 Anti-Malware programs against ActiveX controls must be run for the Restricted Sites zone. Compliant True
DTBI1060-IE11 Prevent bypassing SmartScreen Filter warnings must be enabled. Compliant True
DTBI1065-IE11 Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet must be enabled. Compliant True
DTBI1070-IE11 Prevent per-user installation of ActiveX controls must be enabled. Compliant True
DTBI1075-IE11 Prevent ignoring certificate errors option must be enabled. Compliant True
DTBI1080-IE11 Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. Compliant True
DTBI1085-IE11 Turn on SmartScreen Filter scan option for the Restricted Sites Zone must be enabled. Compliant True
DTBI1090-IE11 The Initialize and script ActiveX controls not marked as safe must be disallowed (Intranet Zone). Compliant True
DTBI1095-IE11 The Initialize and script ActiveX controls not marked as safe must be disallowed (Trusted Sites Zone). Compliant True
DTBI1100-IE11 Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled. Compliant True
DTBI1105-IE11 Run once selection for running outdated ActiveX controls must be disabled. Compliant True
DTBI1110-IE11 Enabling outdated ActiveX controls for Internet Explorer must be blocked. Compliant True
DTBI1115-IE11 Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone. Compliant True
DTBI1120-IE11 Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone. Compliant True
DTBI1125-IE11 VBScript must not be allowed to run in Internet Explorer (Internet zone).(This policy setting will only exist on Windows 10 Redstone 2 or later) Registry value not found. False
DTBI112-IE11 The Download signed ActiveX controls property must be disallowed (Restricted Sites zone). Compliant True
DTBI1130-IE11 VBScript must not be allowed to run in Internet Explorer (Restricted Sites zone).(This policy setting will only exist on Windows 10 Redstone 2 or later) Registry value not found. False
DTBI113-IE11 The Download unsigned ActiveX controls property must be disallowed (Restricted Sites zone). Compliant True
DTBI114-IE11 The Initialize and script ActiveX controls not marked as safe property must be disallowed (Restricted Sites zone). Compliant True
DTBI115-IE11 ActiveX controls and plug-ins must be disallowed (Restricted Sites zone). Compliant True
DTBI116-IE11 ActiveX controls marked safe for scripting must be disallowed (Restricted Sites zone). Compliant True
DTBI119-IE11 File downloads must be disallowed (Restricted Sites zone). Compliant True
DTBI120-IE11 Font downloads must be disallowed (Restricted Sites zone). Compliant True
DTBI121-IE11 Java permissions must be disallowed (Restricted Sites zone). Compliant True
DTBI122-IE11 Accessing data sources across domains must be disallowed (Restricted Sites zone). Compliant True
DTBI123-IE11 The Allow META REFRESH property must be disallowed (Restricted Sites zone). Compliant True
DTBI126-IE11 Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone). Compliant True
DTBI128-IE11 Launching programs and files in IFRAME must be disallowed (Restricted Sites zone). Compliant True
DTBI129-IE11 Navigating windows and frames across different domains must be disallowed (Restricted Sites zone). Compliant True
DTBI132-IE11 Userdata persistence must be disallowed (Restricted Sites zone). Compliant True
DTBI133-IE11 Active scripting must be disallowed (Restricted Sites Zone). Compliant True
DTBI134-IE11 Clipboard operations via script must be disallowed (Restricted Sites zone). Compliant True
DTBI136-IE11 Logon options must be configured and enforced (Restricted Sites zone). Compliant True
DTBI300-IE11 Configuring History setting must be set to 40 days. Compliant True
DTBI318-IE11 Internet Explorer must be set to disallow users to add/delete sites. Compliant True
DTBI319-IE11 Internet Explorer must be configured to disallow users to change policies. Compliant True
DTBI320-IE11 Internet Explorer must be configured to use machine settings. Compliant True
DTBI325-IE11 Security checking features must be enforced. Compliant True
DTBI350-IE11 Software must be disallowed to run or install with invalid signatures. Compliant True
DTBI356-IE11 The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on. Compliant True
DTBI365-IE11 Checking for server certificate revocation must be enforced. Compliant True
DTBI370-IE11 Checking for signatures on downloaded programs must be enforced. Compliant True
DTBI375-IE11 All network paths (UNCs) for Intranet sites must be disallowed. Compliant True
DTBI385-IE11 Script-initiated windows without size or position constraints must be disallowed (Internet zone). Compliant True
DTBI390-IE11 Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone). Compliant True
DTBI395-IE11 Scriptlets must be disallowed (Internet zone). Compliant True
DTBI415-IE11 Automatic prompting for file downloads must be disallowed (Internet zone). Compliant True
DTBI425-IE11 Java permissions must be disallowed (Local Machine zone). Compliant True
DTBI426-IE11 Anti-Malware programs against ActiveX controls must be run for the Local Machine zone. Compliant True
DTBI430-IE11 Java permissions must be disallowed (Locked Down Local Machine zone). Compliant True
DTBI435-IE11 Java permissions must be disallowed (Locked Down Intranet zone). Compliant True
DTBI440-IE11 Java permissions must be disallowed (Locked Down Trusted Sites zone). Compliant True
DTBI450-IE11 Java permissions must be disallowed (Locked Down Restricted Sites zone). Compliant True
DTBI455-IE11 XAML files must be disallowed (Internet zone). Compliant True
DTBI460-IE11 XAML files must be disallowed (Restricted Sites zone). Compliant True
DTBI485-IE11 Protected Mode must be enforced (Internet zone). Compliant True
DTBI490-IE11 Protected Mode must be enforced (Restricted Sites zone). Compliant True
DTBI495-IE11 Pop-up Blocker must be enforced (Internet zone). Compliant True
DTBI500-IE11 Pop-up Blocker must be enforced (Restricted Sites zone). Compliant True
DTBI515-IE11 Websites in less privileged web content zones must be prevented from navigating into the Internet zone. Compliant True
DTBI520-IE11 Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone. Compliant True
DTBI575-IE11 Allow binary and script behaviors must be disallowed (Restricted Sites zone). Compliant True
DTBI580-IE11 Automatic prompting for file downloads must be disallowed (Restricted Sites zone). Compliant True
DTBI590-IE11 Internet Explorer Processes for MIME handling must be enforced. (Reserved) Compliant True
DTBI592-IE11 Internet Explorer Processes for MIME handling must be enforced (Explorer). Compliant True
DTBI594-IE11 Internet Explorer Processes for MIME handling must be enforced (iexplore). Compliant True
DTBI595-IE11 Internet Explorer Processes for MIME sniffing must be enforced (Reserved). Compliant True
DTBI596-IE11 Internet Explorer Processes for MIME sniffing must be enforced (Explorer). Compliant True
DTBI597-IE11 Internet Explorer Processes for MIME sniffing must be enforced (iexplore). Compliant True
DTBI599-IE11 Internet Explorer Processes for MK protocol must be enforced (Reserved). Compliant True
DTBI600-IE11 Internet Explorer Processes for MK protocol must be enforced (Explorer). Compliant True
DTBI605-IE11 Internet Explorer Processes for MK protocol must be enforced (iexplore). Compliant True
DTBI610-IE11 Internet Explorer Processes for Zone Elevation must be enforced (Reserved). Compliant True
DTBI612-IE11 Internet Explorer Processes for Zone Elevation must be enforced (Explorer). Compliant True
DTBI614-IE11 Internet Explorer Processes for Zone Elevation must be enforced (iexplore). Compliant True
DTBI630-IE11 Internet Explorer Processes for Restrict File Download must be enforced (Reserved). Compliant True
DTBI635-IE11 Internet Explorer Processes for Restrict File Download must be enforced (Explorer). Compliant True
DTBI640-IE11 Internet Explorer Processes for Restrict File Download must be enforced (iexplore). Compliant True
DTBI645-IE11 Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved). Compliant True
DTBI647-IE11 Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer). Compliant True
DTBI649-IE11 Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore). Compliant True
DTBI650-IE11 .NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone). Compliant True
DTBI655-IE11 .NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone). Compliant True
DTBI670-IE11 Scripting of Java applets must be disallowed (Restricted Sites zone). Compliant True
DTBI690-IE11 AutoComplete feature for forms must be disallowed. Compliant True
DTBI715-IE11 Crash Detection management must be enforced. Compliant True
DTBI725-IE11 Turn on the auto-complete feature for user names and passwords on forms must be disabled. Compliant True
DTBI740-IE11 Managing SmartScreen Filter use must be enforced. Compliant True
DTBI760-IE11 Browser must retain history on exit. Compliant True
DTBI770-IE11 Deleting websites that the user has visited must be disallowed. Compliant True
DTBI780-IE11 InPrivate Browsing must be disallowed. Compliant True
DTBI800-IE11 Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone). Compliant True
DTBI810-IE11 When uploading files to a server, the local directory path must be excluded (Internet zone). Compliant True
DTBI815-IE11 Internet Explorer Processes for Notification Bars must be enforced (Reserved). Compliant True
DTBI820-IE11 Security Warning for unsafe files must be set to prompt (Internet zone). Compliant True
DTBI825-IE11 Internet Explorer Processes for Notification Bars must be enforced (Explorer). Compliant True
DTBI830-IE11 ActiveX controls without prompt property must be used in approved domains only (Internet zone). Compliant True
DTBI835-IE11 Internet Explorer Processes for Notification Bars must be enforced (iexplore). Compliant True
DTBI840-IE11 Cross-Site Scripting Filter must be enforced (Internet zone). Compliant True
DTBI850-IE11 Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone). Compliant True
DTBI860-IE11 When uploading files to a server, the local directory path must be excluded (Restricted Sites zone). Compliant True
DTBI870-IE11 Security Warning for unsafe files must be disallowed (Restricted Sites zone). Compliant True
DTBI880-IE11 ActiveX controls without prompt property must be used in approved domains only (Restricted Sites zone). Compliant True
DTBI890-IE11 Cross-Site Scripting Filter property must be enforced (Restricted Sites zone). Compliant True
DTBI900-IE11 Internet Explorer Processes Restrict ActiveX Install must be enforced (Reserved). Compliant True
DTBI910-IE11 Status bar updates via script must be disallowed (Internet zone). Compliant True
DTBI920-IE11 .NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone). Compliant True
DTBI930-IE11 .NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone). Compliant True
DTBI940-IE11 Scriptlets must be disallowed (Restricted Sites zone). Compliant True
DTBI950-IE11 Status bar updates via script must be disallowed (Restricted Sites zone). Compliant True
DTBI985-IE11 When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode. Compliant True
DTBI990-IE11 Dragging of content from different domains across windows must be disallowed (Internet zone). Compliant True
DTBI995-IE11 Enhanced Protected Mode functionality must be enforced. Compliant True
diff --git a/MicrosoftIE11Audit/Sample/report.html b/MicrosoftIE11Audit/Sample/report.html deleted file mode 100644 index 837ede4a..00000000 --- a/MicrosoftIE11Audit/Sample/report.html +++ /dev/null @@ -1 +0,0 @@ -Microsoft Internet Explorer 11 Audit Report [03/22/2019 16:23:07]
FB-Pro GmbH

Microsoft Internet Explorer 11 Audit Report

Generated by the IE11Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Internet Explorer Security Technical Implementation Guide V1R16 2018-07-27.

This report was generated at 03/22/2019 16:23:07 on WinSrv16-DC.corp.fbpro.

HostnameWinSrv16-DC.corp.fbpro
Build Number14393
Free disk space(GB) 60.9
Operating SystemMicrosoft Windows Server 2016 Standard
Free physical memory (GB)0.487

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTBI014-IE11 Turn off Encryption Support must be enabled. Compliant True
DTBI015-IE11 The Internet Explorer warning about certificate address mismatch must be enforced. Compliant True
DTBI018-IE11 Check for publishers certificate revocation must be enforced. Compliant True
DTBI022-IE11 The Download signed ActiveX controls property must be disallowed (Internet zone). Compliant True
DTBI023-IE11 The Download unsigned ActiveX controls property must be disallowed (Internet zone). Compliant True
DTBI024-IE11 The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone). Compliant True
DTBI030-IE11 Font downloads must be disallowed (Internet zone). Compliant True
DTBI031-IE11 The Java permissions must be disallowed (Internet zone). Compliant True
DTBI032-IE11 Accessing data sources across domains must be disallowed (Internet zone). Compliant True
DTBI036-IE11 Functionality to drag and drop or copy and paste files must be disallowed (Internet zone). Compliant True
DTBI038-IE11 Launching programs and files in IFRAME must be disallowed (Internet zone). Compliant True
DTBI039-IE11 Navigating windows and frames across different domains must be disallowed (Internet zone). Compliant True
DTBI042-IE11 Userdata persistence must be disallowed (Internet zone). Compliant True
DTBI044-IE11 Clipboard operations via script must be disallowed (Internet zone). Compliant True
DTBI046-IE11 Logon options must be configured to prompt (Internet zone). Compliant True
DTBI061-IE11 Java permissions must be configured with High Safety (Intranet zone). Compliant True
DTBI062-IE11 Anti-Malware programs against ActiveX controls must be run for the Intranet zone. Compliant True
DTBI091-IE11 Java permissions must be configured with High Safety (Trusted Sites zone). Compliant True
DTBI092-IE11 Anti-Malware programs against ActiveX controls must be run for the Trusted Sites zone. Compliant True
DTBI1000-IE11 Dragging of content from different domains within a window must be disallowed (Internet zone). Compliant True
DTBI1005-IE11 Dragging of content from different domains across windows must be disallowed (Restricted Sites zone). Compliant True
DTBI1010-IE11 Internet Explorer Processes Restrict ActiveX Install must be enforced (Explorer). Compliant True
DTBI1020-IE11 Internet Explorer Processes Restrict ActiveX Install must be enforced (iexplore). Compliant True
DTBI1025-IE11 Dragging of content from different domains within a window must be disallowed (Restricted Sites zone). Compliant True
DTBI1046-IE11 Anti-Malware programs against ActiveX controls must be run for the Internet zone. Compliant True
DTBI1051-IE11 Anti-Malware programs against ActiveX controls must be run for the Restricted Sites zone. Compliant True
DTBI1060-IE11 Prevent bypassing SmartScreen Filter warnings must be enabled. Compliant True
DTBI1065-IE11 Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet must be enabled. Compliant True
DTBI1070-IE11 Prevent per-user installation of ActiveX controls must be enabled. Compliant True
DTBI1075-IE11 Prevent ignoring certificate errors option must be enabled. Compliant True
DTBI1080-IE11 Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. Compliant True
DTBI1085-IE11 Turn on SmartScreen Filter scan option for the Restricted Sites Zone must be enabled. Compliant True
DTBI1090-IE11 The Initialize and script ActiveX controls not marked as safe must be disallowed (Intranet Zone). Compliant True
DTBI1095-IE11 The Initialize and script ActiveX controls not marked as safe must be disallowed (Trusted Sites Zone). Compliant True
DTBI1100-IE11 Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled. Compliant True
DTBI1105-IE11 Run once selection for running outdated ActiveX controls must be disabled. Compliant True
DTBI1110-IE11 Enabling outdated ActiveX controls for Internet Explorer must be blocked. Compliant True
DTBI1115-IE11 Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone. Compliant True
DTBI1120-IE11 Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone. Compliant True
DTBI1125-IE11 VBScript must not be allowed to run in Internet Explorer (Internet zone).(This policy setting will only exist on Windows 10 Redstone 2 or later) Registry value not found. False
DTBI112-IE11 The Download signed ActiveX controls property must be disallowed (Restricted Sites zone). Compliant True
DTBI1130-IE11 VBScript must not be allowed to run in Internet Explorer (Restricted Sites zone).(This policy setting will only exist on Windows 10 Redstone 2 or later) Registry value not found. False
DTBI113-IE11 The Download unsigned ActiveX controls property must be disallowed (Restricted Sites zone). Compliant True
DTBI114-IE11 The Initialize and script ActiveX controls not marked as safe property must be disallowed (Restricted Sites zone). Compliant True
DTBI115-IE11 ActiveX controls and plug-ins must be disallowed (Restricted Sites zone). Compliant True
DTBI116-IE11 ActiveX controls marked safe for scripting must be disallowed (Restricted Sites zone). Compliant True
DTBI119-IE11 File downloads must be disallowed (Restricted Sites zone). Compliant True
DTBI120-IE11 Font downloads must be disallowed (Restricted Sites zone). Compliant True
DTBI121-IE11 Java permissions must be disallowed (Restricted Sites zone). Compliant True
DTBI122-IE11 Accessing data sources across domains must be disallowed (Restricted Sites zone). Compliant True
DTBI123-IE11 The Allow META REFRESH property must be disallowed (Restricted Sites zone). Compliant True
DTBI126-IE11 Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone). Compliant True
DTBI128-IE11 Launching programs and files in IFRAME must be disallowed (Restricted Sites zone). Compliant True
DTBI129-IE11 Navigating windows and frames across different domains must be disallowed (Restricted Sites zone). Compliant True
DTBI132-IE11 Userdata persistence must be disallowed (Restricted Sites zone). Compliant True
DTBI133-IE11 Active scripting must be disallowed (Restricted Sites Zone). Compliant True
DTBI134-IE11 Clipboard operations via script must be disallowed (Restricted Sites zone). Compliant True
DTBI136-IE11 Logon options must be configured and enforced (Restricted Sites zone). Compliant True
DTBI300-IE11 Configuring History setting must be set to 40 days. Compliant True
DTBI318-IE11 Internet Explorer must be set to disallow users to add/delete sites. Compliant True
DTBI319-IE11 Internet Explorer must be configured to disallow users to change policies. Compliant True
DTBI320-IE11 Internet Explorer must be configured to use machine settings. Compliant True
DTBI325-IE11 Security checking features must be enforced. Compliant True
DTBI350-IE11 Software must be disallowed to run or install with invalid signatures. Compliant True
DTBI356-IE11 The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on. Compliant True
DTBI365-IE11 Checking for server certificate revocation must be enforced. Compliant True
DTBI370-IE11 Checking for signatures on downloaded programs must be enforced. Compliant True
DTBI375-IE11 All network paths (UNCs) for Intranet sites must be disallowed. Compliant True
DTBI385-IE11 Script-initiated windows without size or position constraints must be disallowed (Internet zone). Compliant True
DTBI390-IE11 Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone). Compliant True
DTBI395-IE11 Scriptlets must be disallowed (Internet zone). Compliant True
DTBI415-IE11 Automatic prompting for file downloads must be disallowed (Internet zone). Compliant True
DTBI425-IE11 Java permissions must be disallowed (Local Machine zone). Compliant True
DTBI426-IE11 Anti-Malware programs against ActiveX controls must be run for the Local Machine zone. Compliant True
DTBI430-IE11 Java permissions must be disallowed (Locked Down Local Machine zone). Compliant True
DTBI435-IE11 Java permissions must be disallowed (Locked Down Intranet zone). Compliant True
DTBI440-IE11 Java permissions must be disallowed (Locked Down Trusted Sites zone). Compliant True
DTBI450-IE11 Java permissions must be disallowed (Locked Down Restricted Sites zone). Compliant True
DTBI455-IE11 XAML files must be disallowed (Internet zone). Compliant True
DTBI460-IE11 XAML files must be disallowed (Restricted Sites zone). Compliant True
DTBI485-IE11 Protected Mode must be enforced (Internet zone). Compliant True
DTBI490-IE11 Protected Mode must be enforced (Restricted Sites zone). Compliant True
DTBI495-IE11 Pop-up Blocker must be enforced (Internet zone). Compliant True
DTBI500-IE11 Pop-up Blocker must be enforced (Restricted Sites zone). Compliant True
DTBI515-IE11 Websites in less privileged web content zones must be prevented from navigating into the Internet zone. Compliant True
DTBI520-IE11 Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone. Compliant True
DTBI575-IE11 Allow binary and script behaviors must be disallowed (Restricted Sites zone). Compliant True
DTBI580-IE11 Automatic prompting for file downloads must be disallowed (Restricted Sites zone). Compliant True
DTBI590-IE11 Internet Explorer Processes for MIME handling must be enforced. (Reserved) Compliant True
DTBI592-IE11 Internet Explorer Processes for MIME handling must be enforced (Explorer). Compliant True
DTBI594-IE11 Internet Explorer Processes for MIME handling must be enforced (iexplore). Compliant True
DTBI595-IE11 Internet Explorer Processes for MIME sniffing must be enforced (Reserved). Compliant True
DTBI596-IE11 Internet Explorer Processes for MIME sniffing must be enforced (Explorer). Compliant True
DTBI597-IE11 Internet Explorer Processes for MIME sniffing must be enforced (iexplore). Compliant True
DTBI599-IE11 Internet Explorer Processes for MK protocol must be enforced (Reserved). Compliant True
DTBI600-IE11 Internet Explorer Processes for MK protocol must be enforced (Explorer). Compliant True
DTBI605-IE11 Internet Explorer Processes for MK protocol must be enforced (iexplore). Compliant True
DTBI610-IE11 Internet Explorer Processes for Zone Elevation must be enforced (Reserved). Compliant True
DTBI612-IE11 Internet Explorer Processes for Zone Elevation must be enforced (Explorer). Compliant True
DTBI614-IE11 Internet Explorer Processes for Zone Elevation must be enforced (iexplore). Compliant True
DTBI630-IE11 Internet Explorer Processes for Restrict File Download must be enforced (Reserved). Compliant True
DTBI635-IE11 Internet Explorer Processes for Restrict File Download must be enforced (Explorer). Compliant True
DTBI640-IE11 Internet Explorer Processes for Restrict File Download must be enforced (iexplore). Compliant True
DTBI645-IE11 Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved). Compliant True
DTBI647-IE11 Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer). Compliant True
DTBI649-IE11 Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore). Compliant True
DTBI650-IE11 .NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone). Compliant True
DTBI655-IE11 .NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone). Compliant True
DTBI670-IE11 Scripting of Java applets must be disallowed (Restricted Sites zone). Compliant True
DTBI690-IE11 AutoComplete feature for forms must be disallowed. Compliant True
DTBI715-IE11 Crash Detection management must be enforced. Compliant True
DTBI725-IE11 Turn on the auto-complete feature for user names and passwords on forms must be disabled. Compliant True
DTBI740-IE11 Managing SmartScreen Filter use must be enforced. Compliant True
DTBI760-IE11 Browser must retain history on exit. Compliant True
DTBI770-IE11 Deleting websites that the user has visited must be disallowed. Compliant True
DTBI780-IE11 InPrivate Browsing must be disallowed. Compliant True
DTBI800-IE11 Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone). Compliant True
DTBI810-IE11 When uploading files to a server, the local directory path must be excluded (Internet zone). Compliant True
DTBI815-IE11 Internet Explorer Processes for Notification Bars must be enforced (Reserved). Compliant True
DTBI820-IE11 Security Warning for unsafe files must be set to prompt (Internet zone). Compliant True
DTBI825-IE11 Internet Explorer Processes for Notification Bars must be enforced (Explorer). Compliant True
DTBI830-IE11 ActiveX controls without prompt property must be used in approved domains only (Internet zone). Compliant True
DTBI835-IE11 Internet Explorer Processes for Notification Bars must be enforced (iexplore). Compliant True
DTBI840-IE11 Cross-Site Scripting Filter must be enforced (Internet zone). Compliant True
DTBI850-IE11 Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone). Compliant True
DTBI860-IE11 When uploading files to a server, the local directory path must be excluded (Restricted Sites zone). Compliant True
DTBI870-IE11 Security Warning for unsafe files must be disallowed (Restricted Sites zone). Compliant True
DTBI880-IE11 ActiveX controls without prompt property must be used in approved domains only (Restricted Sites zone). Compliant True
DTBI890-IE11 Cross-Site Scripting Filter property must be enforced (Restricted Sites zone). Compliant True
DTBI900-IE11 Internet Explorer Processes Restrict ActiveX Install must be enforced (Reserved). Compliant True
DTBI910-IE11 Status bar updates via script must be disallowed (Internet zone). Compliant True
DTBI920-IE11 .NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone). Compliant True
DTBI930-IE11 .NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone). Compliant True
DTBI940-IE11 Scriptlets must be disallowed (Restricted Sites zone). Compliant True
DTBI950-IE11 Status bar updates via script must be disallowed (Restricted Sites zone). Compliant True
DTBI985-IE11 When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode. Compliant True
DTBI990-IE11 Dragging of content from different domains across windows must be disallowed (Internet zone). Compliant True
DTBI995-IE11 Enhanced Protected Mode functionality must be enforced. Compliant True
diff --git a/MicrosoftIE11Audit/Settings.psd1 b/MicrosoftIE11Audit/Settings.psd1 deleted file mode 100644 index 3392e791..00000000 --- a/MicrosoftIE11Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Microsoft IE11 Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/MozillaFirefoxAudit/MozillaFirefoxAudit.psd1 b/MozillaFirefoxAudit/MozillaFirefoxAudit.psd1 deleted file mode 100644 index b2ef50ec..00000000 --- a/MozillaFirefoxAudit/MozillaFirefoxAudit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'MozillaFirefoxAudit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = '6ad3bac7-ba3e-43f6-ad0e-b87d06cdfbd8' - -# Author of this module -Author = 'Benedikt Böhme' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Mozilla Firefox settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'mozilla firefox', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/MozillaFirefoxAudit/MozillaFirefoxAudit.psm1 b/MozillaFirefoxAudit/MozillaFirefoxAudit.psm1 deleted file mode 100644 index 99b8ea90..00000000 --- a/MozillaFirefoxAudit/MozillaFirefoxAudit.psm1 +++ /dev/null @@ -1,715 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$CisBenchmarks = Import-LocalizedData -FileName "Mozilla_Firefox_38_ESR_Benchmark_v1.0.0.psd1" -$DisaRequirements = Import-LocalizedData -FileName "Mozilla_FireFox_DISA_STIG_V4R24.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region helper classes -class LockPrefSetting { - [string] $Name - $Value -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject - ) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} - -function PreprocessLockPrefSetting { - [CmdletBinding()] - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject, - - [LockPrefSetting[]] $CurrentLockPrefs = (Get-FirefoxLockPrefs) - ) - - process { - $InputObject.CurrentLockPrefs = $CurrentLockPrefs - return $InputObject - } -} - -function Get-FirefoxInstallDirectory { - $firefoxPath = "HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\" - if (-not (Test-Path $firefoxPath)) { - $firefoxPath = "HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\" - } - $currentFirefox = Get-ChildItem -Path $firefoxPath | Select-Object -Last 1 - $installDir = $currentFirefox | Get-ChildItem | Where-Object PSChildName -EQ "Main" - return $installDir | Get-ItemProperty | Select-Object -ExpandProperty "Install Directory" -} - -function Get-FirefoxLocalSettingsFile { - return "{0}\defaults\pref\local-settings.js" -f (Get-FirefoxInstallDirectory) -} - -function Get-FirefoxMozillaCfgFileName { - $localSettingsFilePath = Get-FirefoxLocalSettingsFile - $content = if (Test-Path $localSettingsFilePath) { Get-Content $localSettingsFilePath } else { $null } - $filename = $content | ForEach-Object { - if ($_ -match "^pref\(`"general\.config\.filename`",\s?`"([\w\-. ]+\.cfg)`"\);") { - return $Matches[1] - } - return $null - } | Where-Object { $null -ne $_ } | Select-Object -Last 1 - - if ($null -eq $filename) { - return "mozilla.cfg" - } - - return $filename -} - -function Get-FirefoxMozillaCfgFile { - return "{0}\{1}" -f (Get-FirefoxInstallDirectory), (Get-FirefoxMozillaCfgFileName) -} - -function Get-FirefoxLockPrefs { - if (-not (Test-Path (Get-FirefoxMozillaCfgFile))) { - return $null - } - - $regex = "^lockPref\s*\(\s*`"([\w.-]+)`"\s*,\s*({0}|{1}|{2})\s*\);" -f @( - "(?true|false)" - "(?\d+)" - "`"(?(\\.|[^`"\\])*)`"" - ) - - $currentLockPrefs = Get-Content (Get-FirefoxMozillaCfgFile) | ForEach-Object { - if ($_ -match $regex) { - $value = $null - if ($Matches.Keys -contains "bool") { - $value = [bool]::Parse($Matches["bool"]) - } - elseif ($Matches.Keys -contains "number") { - $value = [int]::Parse($Matches["number"]) - } - elseif ($Matches.Keys -contains "string") { - $value = $Matches["string"] - } - - [LockPrefSetting]@{ Name = $Matches[1]; Value = $value } - } - } | Where-Object { $null -ne $_ } - - return $currentLockPrefs -} -#endregion - -#region Audit functions -function Get-RegistryAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false - ) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-FirefoxLocalSettingsFileAudit { - $Id = "1.1" - $Task = "Create local-settings.js file" - - if (-not (Test-Path (Get-FirefoxLocalSettingsFile))){ - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "local-settings.js file does not exist." - Audit = [AuditStatus]::False - } - } - - $generalConfigFilename = Get-Content (Get-FirefoxLocalSettingsFile) | Where-Object { - $_ -match "^pref\s*\(\s*`"general\.config\.filename`"\s*,\s*`"([\w\-. ]+\.cfg)`"\s*\);" - } - - if ($generalConfigFilename.Count -eq 0) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "File does not set 'general.config.filename'" - Audit = [AuditStatus]::False - } - } - - $generalConfigObscure = Get-Content (Get-FirefoxLocalSettingsFile) | Where-Object { - $_ -match "^pref\s*\(\s*`"general\.config\.obscure_value`"\s*,\s*0\s*\);" - } - - if ($generalConfigObscure.Count -eq 0) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "File does not set 'general.config.obscure' = 0" - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } -} - -function Get-FirefoxMozillaCfgFileAudit { - $name = Get-FirefoxMozillaCfgFileName - - $Id = "1.3" - $Task = "Create $name file" - - if (-not (Test-Path (Get-FirefoxMozillaCfgFile))){ - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "$name file does not exist." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } -} - -function Get-FileAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [scriptblock] $Predicate - ) - - process { - if (-not (Test-Path $Path)) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "File does not exist." - Audit = [AuditStatus]::False - } - } - - if (-not (&$Predicate (Get-Content $Path))) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "File does not match predicate." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant." - Audit = [AuditStatus]::True - } - } -} - -function Get-LockPrefSettingAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [LockPrefSetting[]] $LockPrefs, - - [LockPrefSetting[]] $CurrentLockPrefs = (Get-FirefoxLockPrefs) - ) - - process { - if ($null -eq $CurrentLockPrefs) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "general config does not exist." - Audit = [AuditStatus]::None - } - } - - $missingLockPrefs = $LockPrefs | Where-Object { - $LockPref = $_ - # LockPref not in currentLockPrefs - ($currentLockPrefs | Where-Object { - ($_.Name -eq $LockPref.Name) -and ($_.Value -is $LockPref.Value.GetType()) -and ($_.Value -eq $LockPref.Value) - }).Count -eq 0 - } - - if ($missingLockPrefs.Count -gt 0) { - $msg = ($missingLockPrefs | ForEach-Object { "lockPref(`"{0}`", {1})" -f $_.Name, $_.Value }) -join "; " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Missing lockprefs: $msg." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant." - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { - [CmdletBinding()] - param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions - ) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-CisAudit { -[CmdletBinding()] - Param( - [switch] $FileConfig, - [switch] $FirefoxLockPrefSettings - ) - # cis FirefoxLockPrefSettings - if ($FileConfig) { - Get-FirefoxLocalSettingsFileAudit - # missing 1.2 - Get-FirefoxMozillaCfgFileAudit - # missing 1.4 - # missing 1.5 - } - # cis FirefoxLockPrefSettings - if ($FirefoxLockPrefSettings) { - $currentLockPrefs = (Get-FirefoxLockPrefs) - $pipline = New-AuditPipeline ${Function:Get-LockPrefSettingAudit} - $CisBenchmarks.FirefoxLockPrefSettings | PreprocessLockPrefSetting -CurrentLockPrefs $currentLockPrefs | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-DisaAudit { - [CmdletBinding()] - Param( - [switch] $FirefoxLockPrefSettings - ) - # disa FirefoxLockPrefSettings - if ($FirefoxLockPrefSettings) { - $currentLockPrefs = (Get-FirefoxLockPrefs) - $pipline = New-AuditPipeline ${Function:Get-LockPrefSettingAudit} - $DisaRequirements.FirefoxLockPrefSettings | PreprocessLockPrefSetting -CurrentLockPrefs $currentLockPrefs | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-MozillaFirefoxHtmlReport` cmdlet tests the preferences of the Firefox installation and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-MozillaFirefoxHtmlReport -Path "reports/report1.html" -#> -function Save-MozillaFirefoxHtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "CIS Benchmarks" - Description = "This section contains all CIS benchmarks" - SubSections = @( - @{ - Title = "Configure Locked Preferences" - AuditInfos = Get-CisAudit -FileConfig | Sort-Object -Property Id - } - @{ - Title = "Preference Settings" - AuditInfos = Get-CisAudit -FirefoxLockPrefSettings | Sort-Object -Property Id - } - ) - } - - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Preference Settings" - AuditInfos = Get-DisaAudit -FirefoxLockPrefSettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Mozilla Firefox Audit Report" ` - -ModuleName "MozillaFirefoxAudit" ` - -BasedOn @( - "CIS Mozilla Firefox 38 ESR Benchmark v1.0.0 - 2015-12-31" - "DISA Mozilla FireFox Security Technical Implementation Guide V4R24 2019-01-25" - ) ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-MozillaFirefoxHtmlReport -Value Save-MozillaFirefoxHtmlReport -Set-Alias -Name Get-FirefoxHtmlReport -Value Save-MozillaFirefoxHtmlReport -Set-Alias -Name shr -Value Save-MozillaFirefoxHtmlReport -#endregion \ No newline at end of file diff --git a/MozillaFirefoxAudit/Mozilla_FireFox_DISA_STIG_V4R24.psd1 b/MozillaFirefoxAudit/Mozilla_FireFox_DISA_STIG_V4R24.psd1 deleted file mode 100644 index 94679015..00000000 --- a/MozillaFirefoxAudit/Mozilla_FireFox_DISA_STIG_V4R24.psd1 +++ /dev/null @@ -1,117 +0,0 @@ -# Requirements for Mozilla FireFox DISA STIG V4R24 - -@{ - # RegistrySettings = @( - # @{ - # Id = "DTBF003" - # Task = "Installed version of Firefox unsupported." - # Path = "HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion" - # Name = "firefox.exe" - # Value = 0 # is equal to or greater than 50.1.x (or ESR 45.7.x) - # } - # ) - FirefoxLockPrefSettings = @( - @{ - Id = "DTBF030" - Task = "Firewall traversal from remote host must be disabled." - LockPrefs = @( - @{ Name = "security.enable_tls"; Value = $true } - @{ Name = "security.tls.version.min"; Value = 2 } - @{ Name = "security.tls.version.max"; Value = 3 } - ) - } - @{ - Id = "DTBF050" - Task = "FireFox is configured to ask which certificate to present to a web site when a certificate is required." - LockPrefs = @( - @{ Name = "security.default_personal_cert"; Value = "Ask Every Time" } - ) - } - # @{ # Not set - in CIS Benchmarks - # Id = "DTBF080" - # Task = "Firefox application is set to auto-update." - # } - @{ - Id = "DTBF085" - Task = "Firefox automatically checks for updated version of installed Search plugins." - LockPrefs = @( - @{ Name = "browser.search.update"; Value = $false } - ) - } - @{ - Id = "DTBF090" - Task = "Firefox automatically updates installed add-ons and plugins." - LockPrefs = @( - @{ Name = "extensions.update.enabled"; Value = $false } - ) - } - @{ - Id = "DTBF105" - Task = "Network shell protocol is enabled in FireFox." - LockPrefs = @( - @{ Name = "network.protocol-handler.external.shell"; Value = $false } - ) - } - # @{ # no longer available - # Id = "DTBF110" - # Task = "Firefox is not configured to prompt a user before downloading and opening required file types." - # } - # @{ # no longer available - # Id = "DTBF130" - # Task = "Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page." - # } - @{ - Id = "DTBF140" - Task = "Firefox formfill assistance option is disabled." - LockPrefs = @( - @{ Name = "browser.formfill.enable"; Value = $false } - ) - } - @{ - Id = "DTBF150" - Task = "Firefox is configured to autofill passwords." - LockPrefs = @( - @{ Name = "signon.autofillForms"; Value = $false } - ) - } - # @{ # Not set - in CIS Benchmarks - # Id = "DTBF160" - # Task = "FireFox is configured to use a password store with or without a master password." - # } - # @{ # Not set - see CIS benchmark 5.4_L1_Disallow_JavaScripts_Ability_to_Hide_the_Status_Bar - # Id = "DTBF180" - # Task = "FireFox is not configured to block pop-up windows. - # } - @{ - Id = "DTBF181" - Task = "FireFox is configured to allow JavaScript to move or resize windows." - LockPrefs = @( - @{ Name = "dom.disable_window_move_resize"; Value = $true } - ) - } - @{ - Id = "DTBF183" - Task = " Firefox is configured to allow JavaScript to disable or replace context menus." - LockPrefs = @( - @{ Name = "dom.event.contextmenu.enabled"; Value = $false } - ) - } - # @{ # Not set - in CIS Benchmarks - # Id = "DTBF184" - # Task = "Firefox is configured to allow JavaScript to hide or change the status bar." - # } - # @{ # no longer available - # Id = "DTBF186" - # Task = "Extensions install must be disabled." - # } - @{ - Id = "DTBF190" - Task = "Background submission of information to Mozilla must be disabled." - LockPrefs = @( - @{ Name = "datareporting.policy.dataSubmissionEnabled"; Value = $false } - @{ Name = "datareporting.healthreport.service.enabled"; Value = $false } - @{ Name = "datareporting.healthreport.uploadEnabled"; Value = $false } - ) - } - ) -} diff --git a/MozillaFirefoxAudit/Mozilla_Firefox_38_ESR_Benchmark_v1.0.0.psd1 b/MozillaFirefoxAudit/Mozilla_Firefox_38_ESR_Benchmark_v1.0.0.psd1 deleted file mode 100644 index 485dbea6..00000000 --- a/MozillaFirefoxAudit/Mozilla_Firefox_38_ESR_Benchmark_v1.0.0.psd1 +++ /dev/null @@ -1,332 +0,0 @@ -# Mozilla Firefox 38 ESR Benchmark v1.0.0 - -@{ - FirefoxLockPrefSettings = @( - @{ - Id = "2.1" - Task = "Enable Automatic Updates" - LockPrefs = @( - @{ Name = "app.update.auto"; Value = $true } - @{ Name = "app.update.enabled"; Value = $true } - @{ Name = "app.update.staging.enabled"; Value = $true } - ) - } - @{ - Id = "2.2" - Task = "Enable Auto-Notification of Outdated Plugins" - LockPrefs = @( - @{ Name = "plugins.update.notifyUser"; Value = $true } - ) - } - @{ - Id = "2.3" - Task = "Enable Information Bar for Outdated Plugins" - LockPrefs = @( - @{ Name = "plugins.hide_infobar_for_outdated_plugin"; Value = $false } - ) - } - @{ - Id = "2.4" - Task = "Set Update Interval Time Checks" - LockPrefs = @( - @{ Name = "app.update.interval"; Value = 43200 } - ) - } - @{ - Id = "2.5" - Task = "Set Update Wait Time Prompt" - LockPrefs = @( - @{ Name = "app.update.promptWaitTime"; Value = 172800 } - ) - } - @{ - Id = "2.6" - Task = "Ensure Update-related UI Components are Displayed" - LockPrefs = @( - @{ Name = "app.update.silent"; Value = $false } - ) - } - @{ - Id = "2.7" - Task = "Set Search Provider Update Behavior" - LockPrefs = @( - @{ Name = "app.update.auto"; Value = $true } - @{ Name = "app.update.enabled"; Value = $true } - ) - } - # @{ - # Id = "3.1" - # Task = "Validate Proxy Settings" - # } - @{ - Id = "3.2" - Task = "Do Not Send Cross SSLTLS Referrer Header" - LockPrefs = @( - @{ Name = "network.http.sendSecureXSiteReferrer"; Value = $false } - ) - } - @{ - Id = "3.3" - Task = "Disable NTLM v1" - LockPrefs = @( - @{ Name = "network.auth.force-generic-ntlm-v1"; Value = $false } - ) - } - @{ - Id = "3.4" - Task = "Enable Warning For Phishy URLs" - LockPrefs = @( - @{ Name = "network.http.phishy-userpass-length"; Value = 1 } - ) - } - @{ - Id = "3.5" - Task = "Enable IDN Show Punycode" - LockPrefs = @( - @{ Name = "network.IDN_show_punycode"; Value = $true } - ) - } - @{ - Id = "3.6" - Task = "Set File URI Origin Policy" - LockPrefs = @( - @{ Name = "security.fileuri.strict_origin_policy"; Value = $true } - ) - } - @{ - Id = "3.7" - Task = "Disable Cloud Sync" - LockPrefs = @( - @{ Name = "services.sync.enabled"; Value = $false } - ) - } - @{ - Id = "3.8" - Task = "Disable WebRTC" - LockPrefs = @( - @{ Name = "media.peerconnection.enabled"; Value = $false } - @{ Name = "media.peerconnection.use_document_iceservers"; Value = $false } - ) - } - @{ - Id = "4.1" - Task = "Set SSL Override Behavior" - LockPrefs = @( - @{ Name = "browser.ssl_override_behavior"; Value = 0 } - ) - } - @{ - Id = "4.2" - Task = "Set Security TLS Version Maximum" - LockPrefs = @( - @{ Name = "security.tls.version.max"; Value = 3 } - ) - } - @{ - Id = "4.3" - Task = "Set Security TLS Version Minimum " - LockPrefs = @( - @{ Name = "security.tls.version.min"; Value = 1 } - ) - } - @{ - Id = "4.4" - Task = "Set OCSP Use Policy" - LockPrefs = @( - @{ Name = "security.OCSP.enabled"; Value = 1 } - ) - } - @{ - Id = "4.5" - Task = "Block Mixed Active Content" - LockPrefs = @( - @{ Name = "security.mixed_content.block_active_content"; Value = $true } - ) - } - @{ - Id = "4.6" - Task = "Set OCSP Response Policy" - LockPrefs = @( - @{ Name = "security.OCSP.require"; Value = $true } - ) - } - @{ - Id = "5.1" - Task = "Disallow JavaScripts Ability to Change the Status Bar Text" - LockPrefs = @( - @{ Name = "dom.disable_window_status_change"; Value = $true } - ) - } - @{ - Id = "5.2" - Task = "Disable Scripting of Plugins by JavaScript" - LockPrefs = @( - @{ Name = "security.xpconnect.plugin.unrestricted"; Value = $false } - ) - } - @{ - Id = "5.3" - Task = "Disallow JavaScripts Ability to Hide the Address Bar" - LockPrefs = @( - @{ Name = "dom.disable_window_open_feature.location"; Value = $true } - ) - } - @{ - Id = "5.4" - Task = "Disallow JavaScripts Ability to Hide the Status Bar" - LockPrefs = @( - @{ Name = "dom.disable_window_open_feature.status"; Value = $true } - ) - } - @{ - Id = "5.5" - Task = "Disable Closing of Windows via Scripts" - LockPrefs = @( - @{ Name = "dom.allow_scripts_to_close_windows"; Value = $false } - ) - } - @{ - Id = "5.6" - Task = "Block Pop-up Windows" - LockPrefs = @( - @{ Name = "privacy.popups.policy"; Value = 1 } - ) - } - @{ - Id = "5.7" - Task = "Disable Displaying JavaScript in History URLs" - LockPrefs = @( - @{ Name = "browser.urlbar.filter.javascript"; Value = $true } - ) - } - @{ - Id = "6.1" - Task = "Disallow Credential Storage" - LockPrefs = @( - @{ Name = "signon.rememberSignons"; Value = $false } - ) - } - @{ - Id = "6.2" - Task = "Do Not Accept Third Party Cookies" - LockPrefs = @( - @{ Name = "network.cookie.cookieBehavior"; Value = 1 } - ) - } - @{ - Id = "6.3" - Task = "Tracking Protection" - LockPrefs = @( - @{ Name = "privacy.donottrackheader.enabled"; Value = $true } - @{ Name = "privacy.donottrackheader.value"; Value = 1 } - @{ Name = "privacy.trackingprotection.enabled"; Value = $true } - @{ Name = "privacy.trackingprotection.pbmode"; Value = $true } - ) - } - @{ - Id = "6.4" - Task = "Set Delay for Enabling Security Sensitive Dialog Boxes" - LockPrefs = @( - @{ Name = "security.dialog_enable_delay"; Value = 2000 } - ) - } - @{ - Id = "6.5" - Task = "Disable Geolocation Serivces" - LockPrefs = @( - @{ Name = "geo.enabled"; Value = $false } - ) - } - @{ - Id = "7.1" - Task = "Secure Application Plug-ins" - LockPrefs = @( - @{ Name = "browser.helperApps.alwaysAsk.force"; Value = $true } - ) - } - @{ - Id = "7.2" - Task = "Disabling Auto-Install of Add-ons" - LockPrefs = @( - @{ Name = "xpinstall.whitelist.required"; Value = $true } - ) - } - @{ - Id = "7.3" - Task = "Enable Extension Block List" - LockPrefs = @( - @{ Name = "extensions.blocklist.enabled"; Value = $true } - ) - } - @{ - Id = "7.4" - Task = "Set Extension Block List Interval" - LockPrefs = @( - @{ Name = "extensions.blocklist.interval"; Value = 86400 } - ) - } - @{ - Id = "7.5" - Task = "Enable Warning for External Protocol Handler" - LockPrefs = @( - @{ Name = "network.protocol-handler.warn-external-default"; Value = $true } - ) - } - @{ - Id = "7.6" - Task = "Disable Popups Initiated by Plugins" - LockPrefs = @( - @{ Name = "privacy.popups.disable_from_plugins"; Value = 2 } - ) - } - @{ - Id = "7.7" - Task = "Enable Extension Auto Update" - LockPrefs = @( - @{ Name = "extensions.update.autoUpdateDefault"; Value = $true } - ) - } - @{ - Id = "7.8" - Task = "Enable Extension Update" - LockPrefs = @( - @{ Name = "extensions.update.enabled"; Value = $true } - ) - } - @{ - Id = "7.9" - Task = "Set Extension Update Interval Time Checks" - LockPrefs = @( - @{ Name = "extensions.update.interval"; Value = 86400 } - ) - } - @{ - Id = "8.1" - Task = "Enable Virus Scanning for Downloads" - LockPrefs = @( - @{ Name = "browser.download.manager.scanWhenDone"; Value = $true } - ) - } - @{ - Id = "8.2" - Task = "Disable JAR from Opening Unsafe File Types" - LockPrefs = @( - @{ Name = "network.jar.open-unsafe-types"; Value = $false } - ) - } - @{ - Id = "8.3" - Task = "Block Reported Web Forgeries" - LockPrefs = @( - @{ Name = "browser.safebrowsing.enabled"; Value = $true } - ) - } - @{ - Id = "8.4" - Task = "Block Reported Attack Sites" - LockPrefs = @( - @{ Name = "browser.safebrowsing.malware.enabled"; Value = $true } - ) - } - ) -} diff --git a/MozillaFirefoxAudit/README.md b/MozillaFirefoxAudit/README.md deleted file mode 100644 index 5a555160..00000000 --- a/MozillaFirefoxAudit/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Mozilla Firefox Audit - -based on -* _CIS Mozilla Firefox 38 ESR Benchmark v1.0.0 - 2015-12-31_ -* _DISA Mozilla FireFox Security Technical Implementation Guide V4R24 2019-01-25_ - -## Overview - -The `MozillaFirefoxAudit`-Module benchmarks the current Mozilla Firefox browser preference settings with current hardening standards from CIS and DISA. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Mozilla Firefox browser** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](https://github.com/fbprogmbh/Audit-Test-Automation/tree/master/ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the Mozilla Firefox Audit module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\MozillaFirefoxAudit -Verbose -``` -3. Generate a report with `Get-MozillaFirefoxHtmlReport` For example: -```PowerShell -Get-MozillaFirefoxHtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. - -## Remarks - -None. diff --git a/MozillaFirefoxAudit/Settings.psd1 b/MozillaFirefoxAudit/Settings.psd1 deleted file mode 100644 index fe87febd..00000000 --- a/MozillaFirefoxAudit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Mozilla Firefox Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/Outlook2016Audit/MS_Outlook_2016_DISA_STIG_V1R2.psd1 b/Outlook2016Audit/MS_Outlook_2016_DISA_STIG_V1R2.psd1 deleted file mode 100644 index 78c705d2..00000000 --- a/Outlook2016Audit/MS_Outlook_2016_DISA_STIG_V1R2.psd1 +++ /dev/null @@ -1,412 +0,0 @@ -# Requirements for Microsoft Outlook 2016 DISA STIG V1R2 -# Created at 03/19/2019 01:00:35 - -@{ - RegistrySettings = @( - @{ - Id = "DTOO104" - Task = "Disabling of user name and password syntax from being used in URLs must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO111" - Task = "Enabling IE Bind to Object functionality must be present." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO117" - Task = "Saved from URL mark to assure Internet zone processing must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO123" - Task = "Navigation to URLs embedded in Office products must be blocked." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO124" - Task = "Scripted Window Security must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO126" - Task = "Add-on Management functionality must be allowed." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO129" - Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO132" - Task = "File Downloads must be configured for proper restrictions." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO209" - Task = "Protection from zone elevation must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO211" - Task = "ActiveX Installs must be configured for proper restriction." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "outlook.exe" - Value = 1 - } - @{ - Id = "DTOO216" - Task = "Publishing calendars to Office Online must be prevented." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" - Name = "DisableOfficeOnline" - Value = 1 - } - @{ - Id = "DTOO217" - Task = "Publishing to a Web Distributed and Authoring (DAV) server must be prevented." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" - Name = "DisableDav" - Value = 1 - } - @{ - Id = "DTOO218" - Task = "Level of calendar details that a user can publish must be restricted." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" - Name = "PublishCalendarDetailsPolicy" - Value = 16384 # or 4000 - } - @{ - Id = "DTOO219" - Task = "Access restriction settings for published calendars must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal" - Name = "RestrictedAccessOnly" - Value = 1 - } - @{ - Id = "DTOO232" - Task = "Outlook Object Model scripts must be disallowed to run for shared folders." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "SharedFolderScript" - Value = 0 - } - @{ - Id = "DTOO233" - Task = "Outlook Object Model scripts must be disallowed to run for public folders." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PublicFolderScript" - Value = 0 - } - @{ - Id = "DTOO234" - Task = "ActiveX One-Off forms must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "AllowActiveXOneOffForms" - Value = 0 - } - @{ - Id = "DTOO236" - Task = "The Add-In Trust Level must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "AddinTrust" - Value = 1 - } - @{ - Id = "DTOO237" - Task = "The remember password for internet e-mail accounts must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "EnableRememberPwd" - Value = 0 - } - @{ - Id = "DTOO238" - Task = "Users customizing attachment security settings must be prevented." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook" - Name = "DisallowAttachmentCustomization" - Value = 1 - } - @{ - Id = "DTOO239" - Task = "Outlook Security Mode must be configured to use Group Policy settings." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "AdminSecurityMode" - Value = 3 - } - @{ - Id = "DTOO240" - Task = "The ability to display level 1 attachments must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "ShowLevel1Attach" - Value = 0 - }<# - @{ - Id = "DTOO244" - Task = "Level 1 file extensions must be blocked and not removed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security\FileExtensionsRemoveLevel1" - DoesNotExist = $true - } - @{ - Id = "DTOO245" - Task = "Level 2 file extensions must be blocked and not removed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security\FileExtensionsRemoveLevel2" - DoesNotExist = $true - }#> - @{ - Id = "DTOO246" - Task = "Scripts in One-Off Outlook forms must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "EnableOneOffFormScripts" - Value = 0 - } - @{ - Id = "DTOO247" - Task = "Custom Outlook Object Model (OOM) action execution prompts must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMCustomAction" - Value = 0 - } - @{ - Id = "DTOO249" - Task = "Object Model Prompt for programmatic email send behavior must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMSend" - Value = 0 - } - @{ - Id = "DTOO250" - Task = "Object Model Prompt behavior for programmatic address books must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMAddressBookAccess" - Value = 0 - } - @{ - Id = "DTOO251" - Task = "Object Model Prompt behavior for programmatic access of user address data must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMAddressInformationAccess" - Value = 0 - } - @{ - Id = "DTOO252" - Task = "Object Model Prompt behavior for Meeting and Task Responses must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMMeetingTaskRequestResponse" - Value = 0 - } - @{ - Id = "DTOO253" - Task = "Object Model Prompt behavior for the SaveAs method must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMSaveAs" - Value = 0 - } - @{ - Id = "DTOO254" - Task = "Object Model Prompt behavior for accessing User Property Formula must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "PromptOOMFormulaAccess" - Value = 0 - }<# - @{ - Id = "DTOO256" - Task = "Trusted add-ins behavior for email must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\Outlook\security" - Name = "trustedaddins" - DoesNotExist = $true - }#> - @{ - Id = "DTOO257" - Task = "S/Mime interoperability with external clients for message handling must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "ExternalSMime" - Value = 0 - } - @{ - Id = "DTOO260" - Task = "Message formats must be set to use SMime." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "MsgFormats" - Value = 1 - } - @{ - Id = "DTOO262" - Task = "Run in FIPS compliant mode must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "FIPSMode" - Value = 1 - } - @{ - Id = "DTOO264" - Task = "Send all signed messages as clear signed messages must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "ClearSign" - Value = 1 - } - @{ - Id = "DTOO266" - Task = "Automatic sending s/Mime receipt requests must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "RespondToReceiptRequests" - Value = 2 - } - @{ - Id = "DTOO267" - Task = "Retrieving of CRL data must be set for online action." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "UseCRLChasing" - Value = 1 - } - @{ - Id = "DTOO270" - Task = "External content and pictures in HTML email must be displayed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "BlockExtContent" - Value = 1 - } - @{ - Id = "DTOO271" - Task = "Automatic download content for email in Safe Senders list must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "UnblockSpecificSenders" - Value = 0 - } - @{ - Id = "DTOO272" - Task = "Permit download of content from safe zones must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "UnblockSafeZone" - Value = 1 - } - @{ - Id = "DTOO273" - Task = "IE Trusted Zones assumed trusted must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "TrustedZone" - Value = 0 - } - @{ - Id = "DTOO274" - Task = "Internet with Safe Zones for Picture Download must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "Internet" - Value = 0 - } - @{ - Id = "DTOO275" - Task = "Intranet with Safe Zones for automatic picture downloads must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "Intranet" - Value = 0 - } - @{ - Id = "DTOO276" - Task = "Always warn on untrusted macros must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "Level" - Value = 3 - } - @{ - Id = "DTOO277" - Task = "Hyperlinks in suspected phishing email messages must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\mail" - Name = "JunkMailEnableLinks" - Value = 0 - } - @{ - Id = "DTOO279" - Task = "RPC encryption between Outlook and Exchange server must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\rpc" - Name = "EnableRPCEncryption" - Value = 1 - } - @{ - Id = "DTOO280" - Task = "Outlook must be configured to force authentication when connecting to an Exchange server." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "AuthenticationService" - Value = 16 # or 10 - } - @{ - Id = "DTOO283" - Task = "Disabling download full text of articles as HTML must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\rss" - Name = "EnableFullTextHTML" - Value = 0 - } - @{ - Id = "DTOO284" - Task = "Automatic download of Internet Calendar appointment attachments must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal" - Name = "EnableAttachments" - Value = 0 - } - @{ - Id = "DTOO285" - Task = "Internet calendar integration in Outlook must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal" - Name = "Disable" - Value = 1 - } - @{ - Id = "DTOO286" - Task = "User Entries to Server List must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\meetings\profile" - Name = "ServerUI" - Value = 2 - } - @{ - Id = "DTOO313" - Task = "Automatically downloading enclosures on RSS must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\options\rss" - Name = "EnableAttachments" - Value = 0 - } - @{ - Id = "DTOO315" - Task = "Outlook must be configured not to prompt users to choose security settings if default settings fail." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "ForceDefaultProfile" - Value = 0 - } - @{ - Id = "DTOO316" - Task = "Outlook minimum encryption key length settings must be set." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "MinEncKey" - Value = 168 - #a8 (hex) or 168 - } - @{ - Id = "DTOO317" - Task = "Replies or forwards to signed/encrypted messages must be signed/encrypted." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "NoCheckOnSessionSecurity" - Value = 1 - } - @{ - Id = "DTOO320" - Task = "Check e-mail addresses against addresses of certificates being used must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\outlook\security" - Name = "SupressNameChecks" - Value = 1 - } - ) -} diff --git a/Outlook2016Audit/Outlook2016Audit.psd1 b/Outlook2016Audit/Outlook2016Audit.psd1 deleted file mode 100644 index 2e95e694..00000000 --- a/Outlook2016Audit/Outlook2016Audit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'Outlook2016Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = 'e5cac7da-09b8-476f-ae85-35ecaaaf077e' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Microsoft Excel 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'outlook', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/Outlook2016Audit/Outlook2016Audit.psm1 b/Outlook2016Audit/Outlook2016Audit.psm1 deleted file mode 100644 index c49799cb..00000000 --- a/Outlook2016Audit/Outlook2016Audit.psm1 +++ /dev/null @@ -1,428 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "MS_Outlook_2016_DISA_STIG_V1R2.psd1" -#endregion - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-Outlook2016HtmlReport` cmdlet tests Microsoft Outlook 2016 settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-Outlook2016HtmlReport -Path "reports/report1.html" -#> -function Save-Outlook2016HtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Microsoft Outlook 2016 Audit Report" ` - -ModuleName "Outlook2016Audit" ` - -BasedOn "DISA Microsoft Outlook 2016 Security Technical Implementation Guide V1R2 2017-07-28" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-Outlook2016HtmlReport -Value Save-Outlook2016HtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-Outlook2016HtmlReport -Set-Alias -Name shr -Value Save-Outlook2016HtmlReport -#endregion \ No newline at end of file diff --git a/Outlook2016Audit/README.md b/Outlook2016Audit/README.md deleted file mode 100644 index 6c59252e..00000000 --- a/Outlook2016Audit/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Outlook 2016 Audit - -based on -* _DISA Microsoft Outlook 2016 Security Technical Implementation Guide V1R2 2017-07-28_ - -## Overview - -The `Outlook2016Audit`-Module benchmarks the current Microsoft Outlook 2016 settings with current hardening standards from DISA. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Microsoft Outlook 2016** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -### Loading the Outlook 2016 Audit module - -You only need to import the module when you haven't installed it. - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Outlook2016Audit -Verbose -``` -3. Generate a report with `Get-Outlook2016HtmlReport` For example: -```PowerShell -Get-Outlook2016HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. \ No newline at end of file diff --git a/Outlook2016Audit/Settings.psd1 b/Outlook2016Audit/Settings.psd1 deleted file mode 100644 index c25d3113..00000000 --- a/Outlook2016Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Microsoft Outlook 2016 Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/Powerpoint2016Audit/MS_Powerpoint_2016_DISA_STIG_V1R1.psd1 b/Powerpoint2016Audit/MS_Powerpoint_2016_DISA_STIG_V1R1.psd1 deleted file mode 100644 index e104cac7..00000000 --- a/Powerpoint2016Audit/MS_Powerpoint_2016_DISA_STIG_V1R1.psd1 +++ /dev/null @@ -1,273 +0,0 @@ -# Requirements for Microsoft Powerpoint 2016 DISA STIG V1R1 -# Created at 03/25/2019 16:52:39 - -@{ - RegistrySettings = @( - @{ - Id = "DTOO104" - Task = "Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO110" - Task = "Blocking as default file block opening behavior must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\fileblock" - Name = "OpenInProtectedView" - Value = 0 - } - @{ - Id = "DTOO111" - Task = "The Internet Explorer Bind to Object functionality must be enabled in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO117" - Task = "The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO119" - Task = "Configuration for file validation must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\filevalidation" - Name = "EnableOnLoad" - Value = 1 - } - @{ - Id = "DTOO121" - Task = "Files from the Internet zone must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" - Name = "DisableInternetFilesInPV " - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO126" - Task = "Add-on Management functionality must be allowed in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO127" - Task = "Add-ins to Office applications must be signed by a Trusted Publisher." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" - Name = "RequireAddinSig" - Value = 1 - } - @{ - Id = "DTOO129" - Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO131" - Task = "Trust Bar Notifications for unsigned application add-ins must be blocked." - Path = "HKCU:\software\policies\Microsoft\office\16.0\powerpoint\security" - Name = "notbpromptunsignedaddin" - Value = 1 - } - @{ - Id = "DTOO132" - Task = "File Downloads must be configured for proper restrictions in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO133" - Task = "All automatic loading from trusted locations must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\trusted locations" - Name = "AllLocationsDisabled" - Value = 1 - } - @{ - Id = "DTOO134" - Task = "Disallowance of trusted locations on the network must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\trusted locations" - Name = "AllowNetworkLocations" - Value = 0 - } - @{ - Id = "DTOO139" - Task = "The Save commands default file format must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\options" - Name = "DefaultFormat" - Value = 27 # or 1b hex - } - @{ - Id = "DTOO142" - Task = "The scanning of encrypted macros in open XML documents must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" - Name = "PowerPointBypassEncryptedMacroScan" - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO146" - Task = "Trust access for VBA must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" - Name = "AccessVBOM" - Value = 0 - } - @{ - Id = "DTOO209" - Task = "Protection from zone elevation must be enforced in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO211" - Task = "ActiveX Installs must be configured for proper restriction in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO289" - Task = "The ability to run programs from a PowerPoint presentation must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security" - Name = "RunPrograms" - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO293" - Task = "Attachments opened from Outlook must be in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" - Name = "DisableAttachmentsInPV " - Value = 0 - } - @{ - Id = "DTOO304" - Task = "Warning Bar settings for VBA macros must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\powerpoint\security" - Name = "VBAWarnings" - Value = 2 - #TODO Values of REG_DWORD = 3 or 4 are also acceptable values. - } - @{ - Id = "DTOO501" - Task = "Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint Viewer. " - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO502" - Task = "The Internet Explorer Bind to Object functionality must be enabled in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO503" - Task = "The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO504" - Task = "Navigation to URLs embedded in Office products must be blocked in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO505" - Task = "Scripted Window Security must be enforced in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO506" - Task = "Add-on Management functionality must be allowed in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO507" - Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO509" - Task = "Protection from zone elevation must be enforced in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO510" - Task = "ActiveX Installs must be configured for proper restriction in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "pptview.exe" - Value = 1 - } - @{ - Id = "DTOO600" - Task = "Macros must be blocked from running in Office files from the Internet." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\powerpoint\security" - Name = "blockcontentexecutionfrominternet" - Value = 1 - } - @{ - Id = "DTOO123" - Task = "Navigation to URLs embedded in Office products must be blocked in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO124" - Task = "Scripted Window Security must be enforced in PowerPoint." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "powerpnt.exe" - Value = 1 - } - @{ - Id = "DTOO288" - Task = "Files in unsafe locations must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" - Name = "DisableUnsafeLocationsInPV" - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO292" - Task = "Document behavior if file validation fails must be set." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\filevalidation" - Name = "openinprotectedview " - Value = 1 - DoesNotExist = $true - # Depends on: If the value DisableEditFromPV is set to REG_DWORD = 1, this is not a finding. If the value is set to REG_DWORD = 0, this is a finding. - } - @{ - Id = "DTOO605" - Task = "Files on local Intranet UNC must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview" - Name = "DisableIntranetCheck" - Value = 0 - } - @{ - Id = "DTOO508" - Task = "File Downloads must be configured for proper restrictions in PowerPoint Viewer." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "pptview.exe" - Value = 1 - } - ) -} diff --git a/Powerpoint2016Audit/Powerpoint2016Audit.psd1 b/Powerpoint2016Audit/Powerpoint2016Audit.psd1 deleted file mode 100644 index eb058296..00000000 --- a/Powerpoint2016Audit/Powerpoint2016Audit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'Powerpoint2016Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = '337af4a1-a37c-4725-b3a8-bede75a2d885' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Microsoft Powerpoint 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'powerpoint', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/Powerpoint2016Audit/Powerpoint2016Audit.psm1 b/Powerpoint2016Audit/Powerpoint2016Audit.psm1 deleted file mode 100644 index 89625edb..00000000 --- a/Powerpoint2016Audit/Powerpoint2016Audit.psm1 +++ /dev/null @@ -1,429 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "MS_Powerpoint_2016_DISA_STIG_V1R1.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-Powerpoint2016HtmlReport` cmdlet tests Microsoft PowerPoint 2016 settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-Powerpoint2016HtmlReport -Path "reports/report1.html" -#> -function Save-Powerpoint2016HtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Microsoft PowerPoint 2016 Audit Report" ` - -ModuleName "Excel2016Audit" ` - -BasedOn "DISA Microsoft Powerpoint 2016 Security Technical Implementation Guide V1R1 2016-11-14" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-Powerpoint2016HtmlReport -Value Save-Powerpoint2016HtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-Powerpoint2016HtmlReport -Set-Alias -Name shr -Value Save-Powerpoint2016HtmlReport -#endregion \ No newline at end of file diff --git a/Powerpoint2016Audit/README.md b/Powerpoint2016Audit/README.md deleted file mode 100644 index a324d7eb..00000000 --- a/Powerpoint2016Audit/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# PowerPoint 2016 Audit - -based on -* _DISA Microsoft Powerpoint 2016 Security Technical Implementation Guide V1R1 2016-11-14_ - -## Overview - -The `Powerpoint2016Audit`-Module benchmarks the current Microsoft PowerPoint 2016 settings with current hardening standards from DISA. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Microsoft PowerPoint 2016** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -### Loading the PowerPoint 2016 Audit module - -You only need to import the module when you haven't installed it. - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Powerpoint2016Audit -Verbose -``` -3. Generate a report with `Get-Powerpoint2016HtmlReport` For example: -```PowerShell -Get-Powerpoint2016HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. \ No newline at end of file diff --git a/Powerpoint2016Audit/Settings.psd1 b/Powerpoint2016Audit/Settings.psd1 deleted file mode 100644 index 66c77f71..00000000 --- a/Powerpoint2016Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Powerpoint Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/README.md b/README.md index 15a0f1e1..2921acf1 100644 --- a/README.md +++ b/README.md @@ -2,91 +2,138 @@ ## Overview -The Audit Test Automation Package gives you the ability to get an overview about the compliance status of several systems. You can easily create HTML-reports and have a transparent overview over compliance and non-compliance of explicit setttings and configurations in comparison to industry standards and hardening guides. +The Audit Test Automation Package gives you the ability to get an overview about the compliance +status of several systems. You can easily create HTML-reports and have a transparent overview over +compliance and non-compliance of explicit setttings and configurations in comparison to industry +standards and hardening guides. ## Modules -The package consists of the following Modules: +The package consists of the following modules: * [ATAPHtmlReport](ATAPHtmlReport) -* [IIS8Audit](IIS8Audit) -* [IIS10Audit](IIS10Audit) -* [SQL2016Benchmarks](SQL2016Benchmarks) -* [WindowsServer2016Audit](WindowsServer2016Audit) -* [Windows10Audit](Windows10Audit) -* [Windows10GDPRAudit](Windows10GDPRAudit) +* [ATAPAuditor](ATAPAuditor) -Microsoft Office 2016 Audit Modules: +## Reports -* [Word2016Audit](Word2016Audit) -* [Excel2016Audit](Excel2016Audit) -* [Outlook2016Audit](Outlook2016Audit) -* [Powerpoint2016Audit](Powerpoint2016Audit) -* [Skype4Business2016Audit](Skype4Business2016Audit) +The *ATAPAuditor* contains the following reports based on the following benchmarks -Browser Audit Modules: +Benchmark | DISA STIG | CIS benchmark +------------ | ------------- | ------------- +Google Chrome | Single (Version: V1R15, Date: 2019-01-28) | Single (Version: 2.0.0, Date: 2019-05-17) +Mozilla Firefox | Single (Version: V4R24, Date: 2019-01-25) | Single (Version: 1.0.0, Date: 2015-12-31) +Microsoft IE11 | Single (Version: V1R16, Date: 2018-06-08 | Single (Version: 1.0.0, Date: 2014-12-01) +Microsoft IIS10 | None | Single (Version: 1.1.0, Date: 2018-11-12) +Microsoft Office 2016 | Multiple (see below) | None +Microsoft Office 2016 Excel | Single (Version: V1R2, Date: 2017-09-19) | None +Microsoft Office 2016 Outlook | Single (Version: V1R2, Date: 2017-05-08) | None +Microsoft Office 2016 PowerPoint | Single (Version: V1R1, Date: 2016-11-02) | None +Microsoft Office 2016 SkypeForBusiness | Single (Version: V1R1, Date: 2016-11-02) | None +Microsoft Office 2016 Word | Single (Version: V1R1, Date: 2016-11-02) | None +Microsoft SQL Server 2016 | None | Single (Version: 1.0.0, Date: 2017-11-08) +Microsoft Windows 10 | Single (Version: V1R16, Date: 2019-10-25) | Single (Version: 1.8.1, Date: 2020-01-28) +Microsoft Windows 10 GDPR | None | None +Microsoft Windows Server 2016 | Single (Version: V1R6, Date: 2018-10-26) | Single (Version: 1.1.0, Date: 2018-10-15) +Microsoft Windows Server 2019 | Single (Version: V1R2, Date: 2020-01-24) | Single (Version: 1.1.0, Date: 2020-01-10) -* [MozillaFirefoxAudit](MozillaFirefoxAudit) -* [GoogleChromeAudit](GoogleChromeAudit) -* [MicrosoftIE11Audit](MicrosoftIE11Audit) -Read the the READMEs of each module to get specific information about a module. +## Download, installation and usage -## Getting started +### Install from Github (manual way) -Check out the module folders and check if the desired module can be installed with `Install-Module`. Otherwise: +1. Download the release zip in version https://github.com/fbprogmbh/Audit-Test-Automation/releases -### General Requirements - -* Make sure your execution policy is set to at least remoteSigned (the scripts are not digitally signed yet) +2. Unzip the release package on your local machines, for example by using the following commands in Powershell or by using your favourite unzipping toolset. +```Powershell +Expand-Archive -Path ".\Audit TAP.zip" -DestinationPath "Audit TAP" +``` -```powershell - Set-ExecutionPolicy RemoteSigned -scope CurrentUser +3. Import the modules "ATAPAuditor" and "ATAPHtmlReport" to any of the paths of `$env:PSModulePath` by using the following code: +```Powershell +Import-Module -Name .\ATAPAuditor\ATAPAuditor.psm1 -Verbose +Import-Module -Name .\ATAPHtmlReport\ATAPHtmlReport.psm1 -verbose ``` -### Quick Usage +4. Create a new report in the `Documents\ATAPReports` folder. You can create a report for any report named in the above table. +The force parameter creates the folder if it doesn't exist. For using an alternative Path, see customization. -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. Be sure not to include any file extension, as this prevents the module manifest from loading. This is important because the manifest tells Powershell about the assemblies and modules that the module requires. For example: ```Powershell -Import-Module -Name .\IIS10Audit -Verbose +Save-ATAPHtmlReport -ReportName "Microsoft IIS10" -Force +Save-ATAPHtmlReport -ReportName "Mozilla Firefox" -Force ``` -3. Run the command you require. -## More Information +### Install from PS Gallery -You can always get more information on a command by using the familiar `Get-Help`-Command on a Module. - -For example: +1. You need to install both modules: ```Powershell -Get-Help Get-IIS10HtmlReport -``` -Output: +Install-Module -Name ATAPAuditor +Install-Module -Name ATAPHtmlReport ``` -NAME - Get-IISHtmlReport - -SYNOPSIS - Generates an audit report in an html file. +2. Create a new report in the `Documents\ATAPReports` folder. The force parameter creates the folder if it doesn't exist. For using an alternative Path, see customization. +```Powershell +Save-ATAPHtmlReport -ReportName "Microsoft IIS10" -Force +``` +## Good to know -SYNTAX - Get-IISHtmlReport [-Path] [[-SystemAuditInfos] ] [[-SiteAudits] ] - [] +* Make sure your execution policy is set to at least remoteSigned (the scripts are not digitally signed) +```powershell + Set-ExecutionPolicy RemoteSigned -scope CurrentUser +``` -DESCRIPTION - The `Get-IIS10HtmlReport` cmdlet collects by default data from the current machine to generate an audit report. +* The `ATAPAuditor` has a dependency on `ATAPHtmlReport`. + +* Some reports are running longer than a few seconds due to hundreds of individual settings and controls checked. So please be patient, the result will satisfy your needs ;-) + +* If you used old versions of Audit TAP you may want to clean up your modules. Be sure you have not integrated Audit TAP functionality in reporting processes. In order to accomplish this task you can use the following commands. We provide a full list here - please adopt it to your needs. + + ```Powershell + Uninstall-Module -Name ATAPHtmlReport + Uninstall-Module -Name Excel2016Audit + Uninstall-Module -Name GoogleChromeAudit + Uninstall-Module -Name IIS8Audit + Uninstall-Module -Name IIS10Audit + Uninstall-Module -Name MicrosoftIE11Audit + Uninstall-Module -Name MozillaFirefoxAudit + Uninstall-Module -Name Outlook2016Audit + Uninstall-Module -Name Powerpoint2016Audit + Uninstall-Module -Name Skype4Business2016Audit + Uninstall-Module -Name SQL2016Benchmarks + Uninstall-Module -Name Windows10Audit + Uninstall-Module -Name Windows10GDPRAudit + Uninstall-Module -Name WindowsServer2016Audit + Uninstall-Module -Name Word2016Audit + ``` +## Sample reports + +You can find several sample reports in the "Samples" folder. + +## Customization + +You can change the default folder for `Save-ATAPHtmlReport`, which is `Documents\ATAPReports`, by creating and later editing the environment variable `ATAPReportPath`. +Environment variables can bet set for different scopes - please choose the one that fits your needs. The following samples will set the default path to 'C:\ATAPReports'. + +Temporary scope: CurrentSession +```Powershell +$env:ATAPReportPath = 'C:\ATAPReports' +``` - It is also possible to pass your own data to the cmdlet from which it generates the report. To do this, use the - parameter `SystemAuditInfos` and `SiteAudits`. +Permanent scope: CurrentUser +```Powershell +[System.Environment]::SetEnvironmentVariable('ATAPReportPath','C:\ATAPReports',[System.EnvironmentVariableTarget]::User) +``` +Permanent scope: Machine +```Powershell +[System.Environment]::SetEnvironmentVariable('ATAPReportPath','C:\ATAPReports',[System.EnvironmentVariableTarget]::Machine) +``` + ## Related links -RELATED LINKS +* Github-Link: https://github.com/fbprogmbh/Audit-Test-Automation +* Our Homepage: https://fb-pro.com/ -REMARKS - To see the examples, type: "get-help Get-IIS10HtmlReport -examples". - For more information, type: "get-help Get-IIS10HtmlReport -detailed". - For technical information, type: "get-help Get-IIS10HtmlReport -full". + ## Questions, issues or project support -``` +* For questions or issues regarding Audit TAP please use Github issue tracker. +* For questions regarding project support please write a short mail to team@fb-pro.com \ No newline at end of file diff --git a/SQL2016Benchmarks/README.md b/SQL2016Benchmarks/README.md deleted file mode 100644 index cb2ef964..00000000 --- a/SQL2016Benchmarks/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# SQL 2016 Benchmarks - -_based on CIS Microsoft SQL Server Benchmark v1.0.0 - 08-11-2017_ - -## Overview - -The `SQL2016Benchmarks`-Module benchmarks the current systems settings with current hardening standards such as the CIS Microsoft SQL Server Benchmarks. This module is specifically designed for Microsof SQL Server 2016. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Windows Server 2016** comes out of the box with: - * **PowerShell 5.1** -* **SqlServer Module:** The audit module uses Cmdlets from the SqlServer module which is *not* included with a standard sql server installation. -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the SQL 2016 Benchmarks module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\CIS_Benchmarks\CISSQL2016Benchmarks -Verbose -``` -3. You can generate a report with `Get-SQL2016Report` for either all SQLInstances without using the Parameter `-SQLInstance` or a specific SQLInstance by using the Parameter `-SQLInstance`. For example: -```PowerShell -Get-SQL2016Report -Path "MyReport.html" -``` -```PowerShell -Get-SQL2016Report -Path "MyReport.html" -SQLInstance "MyNamedInstance" -``` - -### Audit script error reporting - -The audit script will use the PowerShell error stream to output errors raised during the runtime of the script. Furthermore, it will log errors in a log file. Standard path for the log file is \\AppData\\Local\\Temp\\ in the user's home directory. You can adjust the path in the settings section inside the script itself. - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. diff --git a/SQL2016Benchmarks/SQL2016Benchmarks.psd1 b/SQL2016Benchmarks/SQL2016Benchmarks.psd1 deleted file mode 100644 index 3f7c0dec..00000000 --- a/SQL2016Benchmarks/SQL2016Benchmarks.psd1 +++ /dev/null @@ -1,146 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'SQL2016Benchmarks.psm1' - -# Version number of this module. -ModuleVersion = '1.0.0.0' - -# ID used to uniquely identify this module -GUID = '06a800a0-f2df-4e44-867b-d04154c42bc1' - -# Author of this module -Author = 'Dennis Esly', 'Peter Maier' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2018 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -# Description = '' - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module -FunctionsToExport = '*' - -# Cmdlets to export from this module -CmdletsToExport = '*' - -# Variables to export from this module -VariablesToExport = '*' - -# Aliases to export from this module -AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - # Tags = @() - - # A URL to the license for this module. - # LicenseUri = '' - - # A URL to the main website for this project. - # ProjectUri = '' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} - diff --git a/SQL2016Benchmarks/Sample/myReport.html b/SQL2016Benchmarks/Sample/myReport.html deleted file mode 100644 index 13cc35af..00000000 --- a/SQL2016Benchmarks/Sample/myReport.html +++ /dev/null @@ -1,7 +0,0 @@ -SQL 2016 Benchmarks [10/07/2018 14:00:17]
FB-Pro GmbH

SQL 2016 Benchmarks

Generated by the SQL2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on CIS Microsoft SQL Server 2016 Benchmark v1.0.0 - 08-11-2017.

This report was generated at 10/07/2018 14:00:17 on WIN-8NH110KK3JB.

HostnameWIN-8NH110KK3JB
Build Number14393
Free disk space(GB) 15,2
Operating SystemMicrosoft Windows Server 2016 Datacenter Evaluation
Free physical memory (GB)0,769

Navigation

Click the link(s) below for quick access to a report section.

2 Surface Area Reduction^

SQL Server offers various configuration options, some of them can be controlled by the sp_configure stored procedure. This section contains the listing of the corresponding recommendations.

Id Task Message Audit
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' Values do not match, found: - value_configured: 1 - value_in_use:1 False
2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' Values do not match, found: - value_configured: 1 - value_in_use:1 False
2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' All good True
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' All good True
2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0' All good True
2.6 Ensure 'Remote Access' Server Configuration Option is set to '0' Values do not match, found: - value_configured: 1 - value_in_use:1 False
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' All good True
2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' All good True
2.9 Ensure 'Trustworthy' Database Property is set to 'Off' All good True
2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled' Following protocols are enabled:Named Pipes Shared Memory Warning
2.11 Ensure SQL Server is configured to use non-standard ports All good True
2.12 Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances Instance not hidden False
2.13 Ensure the 'sa' Login Account is set to 'Disabled' All good True
2.14 Ensure the 'sa' Login Account has been renamed SA Login Account not renamed False
2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0' All good True
2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases All good True
2.17 Ensure no login exists with the name 'sa' Found login with name 'sa' False

3 Authentication and Authorization^

This section contains recommendations related to SQL Server's authentication and authorization mechanisms.

Id Task Message Audit
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' Login mode set to Mixed Mode Authentication False
3.2.1 Ensure CONNECT permissions on the 'guest' user is revoked for database AdventureWorks2016 All good True
3.2.2 Ensure CONNECT permissions on the 'guest' user is revoked for database AdventureWorks2016b All good True
3.2.3 Ensure CONNECT permissions on the 'guest' user is revoked for database model All good True
3.2.4 Ensure CONNECT permissions on the 'guest' user is revoked for database TutorialDB All good True
3.3.1 Ensure 'Orphaned Users' are dropped for database AdventureWorks2016 All good True
3.3.2 Ensure 'Orphaned Users' are dropped for database AdventureWorks2016b All good True
3.3.3 Ensure 'Orphaned Users' are dropped for database master All good True
3.3.4 Ensure 'Orphaned Users' are dropped for database model All good True
3.3.5 Ensure 'Orphaned Users' are dropped for database msdb All good True
3.3.6 Ensure 'Orphaned Users' are dropped for database tempdb All good True
3.3.7 Ensure 'Orphaned Users' are dropped for database TutorialDB All good True
3.4.1 Ensure SQL Authentication is not used for database AdventureWorks2016 All good True
3.4.2 Ensure SQL Authentication is not used for database AdventureWorks2016b All good True
3.4.3 Ensure SQL Authentication is not used for database master All good True
3.4.4 Ensure SQL Authentication is not used for database model All good True
3.4.5 Ensure SQL Authentication is not used for database msdb All good True
3.4.6 Ensure SQL Authentication is not used for database tempdb All good True
3.4.7 Ensure SQL Authentication is not used for database TutorialDB All good True
3.5 Ensure the SQL Server’s MSSQL Service Account is Not an Administrator Following service accounts are administrator: Administrator False
3.6 Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator All good True
3.7 Ensure the SQL Server’s Full-Text Service Account is Not an Administrator All good True
3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role All good True
3.9 Ensure Windows BUILTIN groups are not SQL Logins All good True
3.10 Ensure Windows local groups are not SQL Logins All good True
3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies All good True

4 Password Policies^

This section contains recommendations related to SQL Server's password policies.

Id Task Message Audit
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins Following Logins Must Change their password: MustChange False
4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role Found missmatching account(s):sa False
4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins All good True

5 Auditing and Logging^

This section contains recommendations related to SQL Server's audit and logging mechanisms.

Id Task Message Audit
5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12' Maximum number of error log files too high False
5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' All good True
5.3 Ensure 'Login Auditing' is set to 'failed logins' All good True
5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' All good True

6 Application Development^

This section contains recommendations related to developing applications that interface with SQL Server.

Id Task Message Audit
6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies All good True

7 Encryption^

These recommendations pertain to encryption-related aspects of SQL Server.

Id Task Message Audit
7.1.1 Ensure CONNECT permissions on the 'guest' user is revoked for database AdventureWorks2016 All good True
7.1.2 Ensure CONNECT permissions on the 'guest' user is revoked for database AdventureWorks2016b All good True
7.1.3 Ensure CONNECT permissions on the 'guest' user is revoked for database TutorialDB All good True
7.2.1 Ensure CONNECT permissions on the 'guest' user is revoked for database AdventureWorks2016 All good True
7.2.2 Ensure CONNECT permissions on the 'guest' user is revoked for database AdventureWorks2016b All good True
7.2.3 Ensure CONNECT permissions on the 'guest' user is revoked for database TutorialDB All good True

8 Appendix: Additional Considerations^

This appendix discusses possible configuration options for which no recommendation is being given.

Id Task Message Audit
8.1 Ensure 'SQL Server Browser Service' is configured correctly All good True
diff --git a/SQL2016Benchmarks/Settings.psd1 b/SQL2016Benchmarks/Settings.psd1 deleted file mode 100644 index a8013d88..00000000 --- a/SQL2016Benchmarks/Settings.psd1 +++ /dev/null @@ -1,51 +0,0 @@ -<# -Copyright (c) 2017, FB Pro GmbH, Germany -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -<# - - Author(s): Dennis Esly - Date: 01/11/2018 - Last change: 01/11/2018 - Version: 1.0 - -#> - -@{ - Settings = @{ - Email = @{ - SMTPServer = "mail.example.com" - SMTPPort = 25 - MailTo = "support@example.com" - MailFrom = "noreply" - Encoding = "UTF8" - User = "user@example.com" - PasswordFile = "" - } - LogFilePath = "C:\Logs\" - LogFileName = "cisIIS8benchmarkErrors.log" - } -} \ No newline at end of file diff --git a/GoogleChromeAudit/Sample/report.dark.html b/Samples/GoogleChrome.dark.html similarity index 100% rename from GoogleChromeAudit/Sample/report.dark.html rename to Samples/GoogleChrome.dark.html diff --git a/GoogleChromeAudit/Sample/report.html b/Samples/GoogleChrome.html similarity index 100% rename from GoogleChromeAudit/Sample/report.html rename to Samples/GoogleChrome.html diff --git a/MozillaFirefoxAudit/Sample/report.dark.html b/Samples/MozillaFirefox.dark.html similarity index 100% rename from MozillaFirefoxAudit/Sample/report.dark.html rename to Samples/MozillaFirefox.dark.html diff --git a/MozillaFirefoxAudit/Sample/report.html b/Samples/MozillaFirefox.html similarity index 100% rename from MozillaFirefoxAudit/Sample/report.html rename to Samples/MozillaFirefox.html diff --git a/Excel2016Audit/Sample/report.html b/Samples/Office2016.dark.html similarity index 100% rename from Excel2016Audit/Sample/report.html rename to Samples/Office2016.dark.html diff --git a/Excel2016Audit/Sample/report.dark.html b/Samples/Office2016Excel.dark.html similarity index 100% rename from Excel2016Audit/Sample/report.dark.html rename to Samples/Office2016Excel.dark.html diff --git a/Outlook2016Audit/Sample/report.dark.html b/Samples/Office2016Outlook.dark.html similarity index 100% rename from Outlook2016Audit/Sample/report.dark.html rename to Samples/Office2016Outlook.dark.html diff --git a/Outlook2016Audit/Sample/report.html b/Samples/Office2016Outlook.html similarity index 100% rename from Outlook2016Audit/Sample/report.html rename to Samples/Office2016Outlook.html diff --git a/Powerpoint2016Audit/Sample/report.dark.html b/Samples/Office2016PowerPoint.dark.html similarity index 100% rename from Powerpoint2016Audit/Sample/report.dark.html rename to Samples/Office2016PowerPoint.dark.html diff --git a/Powerpoint2016Audit/Sample/report.html b/Samples/Office2016PowerPoint.html similarity index 100% rename from Powerpoint2016Audit/Sample/report.html rename to Samples/Office2016PowerPoint.html diff --git a/Skype4Business2016Audit/Samples/report.dark.html b/Samples/Office2016SkypeForBusiness.dark.html similarity index 100% rename from Skype4Business2016Audit/Samples/report.dark.html rename to Samples/Office2016SkypeForBusiness.dark.html diff --git a/Skype4Business2016Audit/Samples/report.html b/Samples/Office2016SkypeForBusiness.html similarity index 100% rename from Skype4Business2016Audit/Samples/report.html rename to Samples/Office2016SkypeForBusiness.html diff --git a/Word2016Audit/Samples/report.dark.html b/Samples/Office2016Word.dark.html similarity index 100% rename from Word2016Audit/Samples/report.dark.html rename to Samples/Office2016Word.dark.html diff --git a/Word2016Audit/Samples/report.html b/Samples/Office2016Word.html similarity index 100% rename from Word2016Audit/Samples/report.html rename to Samples/Office2016Word.html diff --git a/Windows10Audit/Sample/20190514_0814_auditreport.html b/Samples/Windows10.html similarity index 61% rename from Windows10Audit/Sample/20190514_0814_auditreport.html rename to Samples/Windows10.html index b5918774..74d72e78 100644 --- a/Windows10Audit/Sample/20190514_0814_auditreport.html +++ b/Samples/Windows10.html @@ -1,4 +1,4 @@ -Windows 10 Report [05/14/2019 08:14:34]

Windows 10 Report

Generated by the Windows10Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on Windows 10 Security Technical Implementation Guide V1R16 2019-01-25.

This report was generated at 05/14/2019 08:14:34 on DESKTOP-VSBMIM9.

HostnameDESKTOP-VSBMIM9
Build Number17763
Free disk space(GB) 115.2
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.564

Summary

A total of 640 tests have been run. 503 resulted in false. 0 resulted in warning.

  1. True 132 test(s) ≙ 20.63%
  2. False 503 test(s) ≙ 78.59%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 5 test(s) ≙ 0.78%

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

TThis section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
WN10-CC-000310 Users must be prevented from changing installation options. Registry key not found. False
WN10-CC-000315 The Windows Installer Always install with elevated privileges must be disabled. Registry key not found. False
WN10-CC-000320 Users must be notified if a web-based program attempts to install software. Registry key not found. False
WN10-CC-000325 Automatically signing in the last interactive user after a system-initiated restart must be disabled. Registry value not found. False
WN10-CC-000330 The Windows Remote Management (WinRM) client must not use Basic authentication. Registry key not found. False
WN10-CC-000335 The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000340 The Windows Remote Management (WinRM) client must not use Digest authentication. Registry key not found. False
WN10-CC-000345 The Windows Remote Management (WinRM) service must not use Basic authentication. Registry key not found. False
WN10-CC-000350 The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000355 The Windows Remote Management (WinRM) service must not store RunAs credentials. Registry key not found. False
WN10-AU-000500 The Application event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-AU-000505 The Security event log size must be configured to 1024000 KB or greater. Registry key not found. False
WN10-AU-000510 The System event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-CC-000005 Camera access from the lock screen must be disabled. Registry key not found. False
WN10-CC-000010 The display of slide shows on the lock screen must be disabled. Registry key not found. False
WN10-CC-000020 IPv6 source routing must be configured to highest protection. Registry value not found. False
WN10-CC-000025 The system must be configured to prevent IP source routing. Registry value not found. False
WN10-CC-000030 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Registry value not found. False
WN10-CC-000035 The system must be configured to ignore NetBIOS name release requests except from WINS servers. Registry value not found. False
WN10-CC-000040 Insecure logons to an SMB server must be disabled. Registry key not found. False
WN10-CC-000055 Simultaneous connections to the Internet or a Windows domain must be limited. Registry value not found. False
WN10-CC-000060 Connections to non-domain networks when connected to a domain authenticated network must be blocked. Registry value not found. False
WN10-CC-000065 Wi-Fi Sense must be disabled. Registry value not found. False
WN10-CC-000037 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Registry value not found. False
WN10-CC-000085 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Registry key not found. False
WN10-CC-000090 Group Policy objects must be reprocessed even if they have not changed. Registry key not found. False
WN10-CC-000100 Downloading print driver packages over HTTP must be prevented. Registry key not found. False
WN10-SO-000015 Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
WN10-CC-000105 Web publishing and online ordering wizards must be prevented from downloading a list of providers. Registry value not found. False
WN10-CC-000110 Printing over HTTP must be prevented. Registry key not found. False
WN10-CC-000115 Systems must at least attempt device authentication using certificates. Registry key not found. False
WN10-CC-000120 The network selection user interface (UI) must not be displayed on the logon screen. Registry value not found. False
WN10-CC-000130 Local users on domain-joined computers must not be enumerated. Registry value not found. False
WN10-SO-000030 Audit policy using subcategories must be enabled. Registry value not found. False
WN10-SO-000035 Outgoing secure channel traffic must be encrypted or signed. Compliant True
WN10-SO-000040 Outgoing secure channel traffic must be encrypted when possible. Compliant True
WN10-CC-000145 Users must be prompted for a password on resume from sleep (on battery). Registry key not found. False
WN10-SO-000045 Outgoing secure channel traffic must be signed when possible. Compliant True
WN10-CC-000150 The user must be prompted for a password on resume from sleep (plugged in). Registry key not found. False
WN10-CC-000155 Solicited Remote Assistance must not be allowed. Registry value not found. False
WN10-SO-000050 The computer account password must not be prevented from being reset. Compliant True
WN10-CC-000165 Unauthenticated RPC clients must be restricted from connecting to the RPC server. Registry key not found. False
WN10-CC-000170 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Registry value not found. False
WN10-CC-000175 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Registry key not found. False
WN10-SO-000060 The system must be configured to require a strong session key. Compliant True
WN10-CC-000180 Autoplay must be turned off for non-volume devices. Registry key not found. False
WN10-SO-000070 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Registry value not found. False
WN10-CC-000185 The default autorun behavior must be configured to prevent autorun commands. Registry value not found. False
WN10-CC-000190 Autoplay must be disabled for all drives. Registry value not found. False
WN10-CC-000195 Enhanced anti-spoofing for facial recognition must be enabled on Window 10. Registry key not found. False
WN10-CC-000200 Administrator accounts must not be enumerated during elevation. Registry key not found. False
WN10-CC-000215 Explorer Data Execution Prevention must be enabled. Registry key not found. False
WN10-CC-000220 Turning off File Explorer heap termination on corruption must be disabled. Registry key not found. False
WN10-CC-000225 File Explorer shell protocol must run in protected mode. Registry value not found. False
WN10-SO-000095 The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000230 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. Registry key not found. False
WN10-CC-000235 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Registry key not found. False
WN10-SO-000100 The Windows SMB client must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000240 InPrivate browsing in Microsoft Edge must be disabled. Registry key not found. False
WN10-SO-000105 The Windows SMB client must be enabled to perform SMB packet signing when possible. Compliant True
WN10-SO-000110 Unencrypted passwords must not be sent to third-party SMB Servers. Compliant True
WN10-CC-000250 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. Registry key not found. False
WN10-CC-000255 The use of a hardware security device with Windows Hello for Business must be enabled. Registry key not found. False
WN10-SO-000120 The Windows SMB server must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000260 Windows 10 must be configured to require a minimum pin length of six characters or greater. Registry key not found. False
WN10-SO-000125 The Windows SMB server must perform SMB packet signing when possible. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000270 Passwords must not be saved in the Remote Desktop Client. Registry value not found. False
WN10-CC-000275 Local drives must be prevented from sharing with Remote Desktop Session Hosts. Registry value not found. False
WN10-CC-000280 Remote Desktop Services must always prompt a client for passwords upon connection. Registry value not found. False
WN10-CC-000285 The Remote Desktop Session Host must require secure RPC communications. Registry value not found. False
WN10-CC-000290 Remote Desktop Services must be configured with the client connection encryption set to the required level. Registry value not found. False
WN10-CC-000295 Attachments must be prevented from being downloaded from RSS feeds. Registry key not found. False
WN10-SO-000145 Anonymous enumeration of SAM accounts must not be allowed. Compliant True
WN10-CC-000300 Basic authentication for RSS feeds over HTTP must not be used. Registry key not found. False
WN10-SO-000150 Anonymous enumeration of shares must be restricted. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000305 Indexing of encrypted files must be turned off. Registry key not found. False
WN10-SO-000160 The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Compliant True
WN10-SO-000165 Anonymous access to Named Pipes and Shares must be restricted. Compliant True
WN10-SO-000175 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Registry value not found. False
WN10-SO-000180 NTLM must be prevented from falling back to a Null session. Registry value not found. False
WN10-SO-000185 PKU2U authentication using online identities must be prevented. Registry key not found. False
WN10-SO-000190 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Registry key not found. False
WN10-SO-000195 The system must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
WN10-SO-000205 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. Registry value not found. False
WN10-SO-000210 The system must be configured to the required LDAP client signing level. Compliant True
WN10-SO-000215 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000220 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000230 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Registry value: 0. Differs from expected value: 1. False
WN10-SO-000240 The default permissions of global system objects must be increased. Compliant True
WN10-SO-000245 User Account Control approval mode for the built-in Administrator must be enabled. Registry value not found. False
WN10-SO-000250 User Account Control must, at minimum, prompt administrators for consent on the secure desktop. Registry value: 5. Differs from expected value: 2. False
WN10-SO-000255 User Account Control must automatically deny elevation requests for standard users. Registry value: 3. Differs from expected value: 0. False
WN10-SO-000260 User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
WN10-SO-000265 User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
WN10-SO-000270 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
WN10-SO-000275 User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
WN10-UC-000015 Toast notifications to the lock screen must be turned off. Registry key not found. False
WN10-UC-000020 Zone information must be preserved when saving attachments. Registry key not found. False
WN10-CC-000066 Command line data must be included in process creation events. Registry value not found. False
WN10-CC-000326 PowerShell script block logging must be enabled. Registry key not found. False
WN10-00-000150 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. Registry value not found. False
WN10-CC-000038 WDigest Authentication must be disabled. Registry value not found. False
WN10-CC-000044 Internet connection sharing must be disabled. Registry value not found. False
WN10-CC-000197 Microsoft consumer experiences must be turned off. Registry key not found. False
WN10-CC-000228 Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. Registry key not found. False
WN10-CC-000252 Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Registry key not found. False
WN10-CC-000068 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. Registry key not found. False
WN10-00-000165 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. Registry value not found. False
WN10-UC-000005 The use of personal accounts for OneDrive synchronization must be disabled. Registry key not found. False
WN10-CC-000238 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Registry key not found. False
WN10-CC-000204 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Registry value not found. False

User Rights Assignment^

Id Task Message Audit
WN10-UR-000005 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000010 The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. The following users have too many rights: Everyone, BUILTIN\Users, BUILTIN\Backup Operators False
WN10-UR-000015 The Act as part of the operating system user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000025 The Allow log on locally user right must only be assigned to the Administrators and Users groups. The following users have too many rights: DESKTOP-VSBMIM9\Guest, BUILTIN\Backup Operators False
WN10-UR-000030 The Back up files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000035 The Change the system time user right must only be assigned to Administrators and Local Service. Compliant True
WN10-UR-000040 The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000045 The Create a token object user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000050 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000055 The Create permanent shared objects user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000065 The Debug programs user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000070 MW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000070 SW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000075 MW The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000080 MW The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 MW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 SW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000090 MW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000090 SW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have don't have the rights: False
WN10-UR-000100 The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000105 The Generate security audits user right must only be assigned to Local Service and Network Service. Compliant True
WN10-UR-000110 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000115 The Increase scheduling priority user right must only be assigned to the Administrators group. The following users have too many rights: Window Manager\Window Manager Group False
WN10-UR-000120 The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000125 The Lock pages in memory user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000130 The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000140 The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000145 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000150 The Profile single process user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000160 The Restore files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000165 The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True

Account Policies^

Id Task Message Audit
WN10-AC-000005 Windows 10 account lockout duration must be configured to 15 minutes or greater. Currently not set. False
WN10-AC-000010 The number of allowed bad logon attempts must be configured to 3 or less. Currently set to: 0. Expected: not equal 0 False
WN10-AC-000015 The period of time before the bad logon counter is reset must be configured to 15 minutes. Currently not set. False
WN10-AC-000020 The password history must be configured to 24 passwords remembered. Currently set to: 0. Expected: greater than or equal 24 False
WN10-AC-000025 The maximum password age must be configured to 60 days or less. Compliant True
WN10-AC-000030 The minimum password age must be configured to at least 1 day. Currently set to: 0. Expected: greater than or equal 1 False
WN10-AC-000035 Passwords must, at a minimum, be 14 characters. Currently set to: 0. Expected: greater than or equal 14 False
WN10-AC-000040 The built-in Microsoft password complexity filter must be enabled. Currently set to: 0. Expected: equals 1 False
WN10-AC-000045 Reversible password encryption must be disabled. Compliant True
WN10-SO-000140 Anonymous SID/Name translation must not be allowed. Compliant True

Windows Features^

Id Task Message Audit
WN10-00-000100 Internet Information System (IIS) or its subcomponents must not be installed on a workstation. Compliant True
WN10-00-000110 Simple TCP/IP Services must not be installed on the system. Compliant True
WN10-00-000115 The Telnet Client must not be installed on the system. Compliant True
WN10-00-000120 The TFTP Client must not be installed on the system. Compliant True

File System Permissions^

Id Task Message Audit
WN10-AU-000515 Permissions for the Application event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000520 Permissions for the Security event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000525 Permissions for the System event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False

Registry Permissions^

Id Task Message Audit
WN10-RG-000005 A Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Compliant True
WN10-RG-000005 B Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False
WN10-RG-000005 C Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False

CIS Benchmarks^

This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet.

Registry Settings/Group Policies^

Id Task Message Audit
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' Registry value not found. False
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' Compliant True
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Registry value not found. False
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Registry value not found. False
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' Compliant True
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' Compliant True
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' Compliant True
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' Compliant True
2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' Registry value not found. False
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' Registry value not found. False
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' Registry value not found. False
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' Compliant True
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' Registry value is ''. Expected: pattern match .+ False
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' Registry value is '10'. Expected: pattern match ^[43210]$ False
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Compliant True
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher Registry value is '0'. Expected: pattern match ^(1|2|3)$ False
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' Compliant True
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' Compliant True
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' Compliant True
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' Compliant True
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher Registry value not found. False
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' Compliant True
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' Compliant True
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' Registry value is ''. Expected: equals False
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' Compliant True
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' Compliant True
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' Compliant True
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' Registry value not found. False
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' Compliant True
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' Registry value not found. False
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' Registry value not found. False
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' Registry key not found. False
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' Registry key not found. +Windows 10 Report [05/14/2019 08:14:34]

Windows 10 Report

Generated by the Windows10Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on Windows 10 Security Technical Implementation Guide V1R16 2019-01-25.

This report was generated at 05/14/2019 08:14:34 on DESKTOP-VSBMIM9.

HostnameDESKTOP-VSBMIM9
Build Number17763
Free disk space(GB) 115.2
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.564

Summary

A total of 640 tests have been run. 503 resulted in false. 0 resulted in warning.

  1. True 132 test(s) ≙ 20.63%
  2. False 503 test(s) ≙ 78.59%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 5 test(s) ≙ 0.78%

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

TThis section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
WN10-CC-000310 Users must be prevented from changing installation options. Registry key not found. False
WN10-CC-000315 The Windows Installer Always install with elevated privileges must be disabled. Registry key not found. False
WN10-CC-000320 Users must be notified if a web-based program attempts to install software. Registry key not found. False
WN10-CC-000325 Automatically signing in the last interactive user after a system-initiated restart must be disabled. Registry value not found. False
WN10-CC-000330 The Windows Remote Management (WinRM) client must not use Basic authentication. Registry key not found. False
WN10-CC-000335 The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000340 The Windows Remote Management (WinRM) client must not use Digest authentication. Registry key not found. False
WN10-CC-000345 The Windows Remote Management (WinRM) service must not use Basic authentication. Registry key not found. False
WN10-CC-000350 The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000355 The Windows Remote Management (WinRM) service must not store RunAs credentials. Registry key not found. False
WN10-AU-000500 The Application event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-AU-000505 The Security event log size must be configured to 1024000 KB or greater. Registry key not found. False
WN10-AU-000510 The System event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-CC-000005 Camera access from the lock screen must be disabled. Registry key not found. False
WN10-CC-000010 The display of slide shows on the lock screen must be disabled. Registry key not found. False
WN10-CC-000020 IPv6 source routing must be configured to highest protection. Registry value not found. False
WN10-CC-000025 The system must be configured to prevent IP source routing. Registry value not found. False
WN10-CC-000030 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Registry value not found. False
WN10-CC-000035 The system must be configured to ignore NetBIOS name release requests except from WINS servers. Registry value not found. False
WN10-CC-000040 Insecure logons to an SMB server must be disabled. Registry key not found. False
WN10-CC-000055 Simultaneous connections to the Internet or a Windows domain must be limited. Registry value not found. False
WN10-CC-000060 Connections to non-domain networks when connected to a domain authenticated network must be blocked. Registry value not found. False
WN10-CC-000065 Wi-Fi Sense must be disabled. Registry value not found. False
WN10-CC-000037 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Registry value not found. False
WN10-CC-000085 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Registry key not found. False
WN10-CC-000090 Group Policy objects must be reprocessed even if they have not changed. Registry key not found. False
WN10-CC-000100 Downloading print driver packages over HTTP must be prevented. Registry key not found. False
WN10-SO-000015 Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
WN10-CC-000105 Web publishing and online ordering wizards must be prevented from downloading a list of providers. Registry value not found. False
WN10-CC-000110 Printing over HTTP must be prevented. Registry key not found. False
WN10-CC-000115 Systems must at least attempt device authentication using certificates. Registry key not found. False
WN10-CC-000120 The network selection user interface (UI) must not be displayed on the logon screen. Registry value not found. False
WN10-CC-000130 Local users on domain-joined computers must not be enumerated. Registry value not found. False
WN10-SO-000030 Audit policy using subcategories must be enabled. Registry value not found. False
WN10-SO-000035 Outgoing secure channel traffic must be encrypted or signed. Compliant True
WN10-SO-000040 Outgoing secure channel traffic must be encrypted when possible. Compliant True
WN10-CC-000145 Users must be prompted for a password on resume from sleep (on battery). Registry key not found. False
WN10-SO-000045 Outgoing secure channel traffic must be signed when possible. Compliant True
WN10-CC-000150 The user must be prompted for a password on resume from sleep (plugged in). Registry key not found. False
WN10-CC-000155 Solicited Remote Assistance must not be allowed. Registry value not found. False
WN10-SO-000050 The computer account password must not be prevented from being reset. Compliant True
WN10-CC-000165 Unauthenticated RPC clients must be restricted from connecting to the RPC server. Registry key not found. False
WN10-CC-000170 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Registry value not found. False
WN10-CC-000175 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Registry key not found. False
WN10-SO-000060 The system must be configured to require a strong session key. Compliant True
WN10-CC-000180 Autoplay must be turned off for non-volume devices. Registry key not found. False
WN10-SO-000070 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Registry value not found. False
WN10-CC-000185 The default autorun behavior must be configured to prevent autorun commands. Registry value not found. False
WN10-CC-000190 Autoplay must be disabled for all drives. Registry value not found. False
WN10-CC-000195 Enhanced anti-spoofing for facial recognition must be enabled on Window 10. Registry key not found. False
WN10-CC-000200 Administrator accounts must not be enumerated during elevation. Registry key not found. False
WN10-CC-000215 Explorer Data Execution Prevention must be enabled. Registry key not found. False
WN10-CC-000220 Turning off File Explorer heap termination on corruption must be disabled. Registry key not found. False
WN10-CC-000225 File Explorer shell protocol must run in protected mode. Registry value not found. False
WN10-SO-000095 The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000230 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. Registry key not found. False
WN10-CC-000235 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Registry key not found. False
WN10-SO-000100 The Windows SMB client must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000240 InPrivate browsing in Microsoft Edge must be disabled. Registry key not found. False
WN10-SO-000105 The Windows SMB client must be enabled to perform SMB packet signing when possible. Compliant True
WN10-SO-000110 Unencrypted passwords must not be sent to third-party SMB Servers. Compliant True
WN10-CC-000250 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. Registry key not found. False
WN10-CC-000255 The use of a hardware security device with Windows Hello for Business must be enabled. Registry key not found. False
WN10-SO-000120 The Windows SMB server must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000260 Windows 10 must be configured to require a minimum pin length of six characters or greater. Registry key not found. False
WN10-SO-000125 The Windows SMB server must perform SMB packet signing when possible. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000270 Passwords must not be saved in the Remote Desktop Client. Registry value not found. False
WN10-CC-000275 Local drives must be prevented from sharing with Remote Desktop Session Hosts. Registry value not found. False
WN10-CC-000280 Remote Desktop Services must always prompt a client for passwords upon connection. Registry value not found. False
WN10-CC-000285 The Remote Desktop Session Host must require secure RPC communications. Registry value not found. False
WN10-CC-000290 Remote Desktop Services must be configured with the client connection encryption set to the required level. Registry value not found. False
WN10-CC-000295 Attachments must be prevented from being downloaded from RSS feeds. Registry key not found. False
WN10-SO-000145 Anonymous enumeration of SAM accounts must not be allowed. Compliant True
WN10-CC-000300 Basic authentication for RSS feeds over HTTP must not be used. Registry key not found. False
WN10-SO-000150 Anonymous enumeration of shares must be restricted. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000305 Indexing of encrypted files must be turned off. Registry key not found. False
WN10-SO-000160 The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Compliant True
WN10-SO-000165 Anonymous access to Named Pipes and Shares must be restricted. Compliant True
WN10-SO-000175 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Registry value not found. False
WN10-SO-000180 NTLM must be prevented from falling back to a Null session. Registry value not found. False
WN10-SO-000185 PKU2U authentication using online identities must be prevented. Registry key not found. False
WN10-SO-000190 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Registry key not found. False
WN10-SO-000195 The system must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
WN10-SO-000205 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. Registry value not found. False
WN10-SO-000210 The system must be configured to the required LDAP client signing level. Compliant True
WN10-SO-000215 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000220 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000230 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Registry value: 0. Differs from expected value: 1. False
WN10-SO-000240 The default permissions of global system objects must be increased. Compliant True
WN10-SO-000245 User Account Control approval mode for the built-in Administrator must be enabled. Registry value not found. False
WN10-SO-000250 User Account Control must, at minimum, prompt administrators for consent on the secure desktop. Registry value: 5. Differs from expected value: 2. False
WN10-SO-000255 User Account Control must automatically deny elevation requests for standard users. Registry value: 3. Differs from expected value: 0. False
WN10-SO-000260 User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
WN10-SO-000265 User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
WN10-SO-000270 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
WN10-SO-000275 User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
WN10-UC-000015 Toast notifications to the lock screen must be turned off. Registry key not found. False
WN10-UC-000020 Zone information must be preserved when saving attachments. Registry key not found. False
WN10-CC-000066 Command line data must be included in process creation events. Registry value not found. False
WN10-CC-000326 PowerShell script block logging must be enabled. Registry key not found. False
WN10-00-000150 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. Registry value not found. False
WN10-CC-000038 WDigest Authentication must be disabled. Registry value not found. False
WN10-CC-000044 Internet connection sharing must be disabled. Registry value not found. False
WN10-CC-000197 Microsoft consumer experiences must be turned off. Registry key not found. False
WN10-CC-000228 Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. Registry key not found. False
WN10-CC-000252 Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Registry key not found. False
WN10-CC-000068 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. Registry key not found. False
WN10-00-000165 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. Registry value not found. False
WN10-UC-000005 The use of personal accounts for OneDrive synchronization must be disabled. Registry key not found. False
WN10-CC-000238 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Registry key not found. False
WN10-CC-000204 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Registry value not found. False

User Rights Assignment^

Id Task Message Audit
WN10-UR-000005 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000010 The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. The following users have too many rights: Everyone, BUILTIN\Users, BUILTIN\Backup Operators False
WN10-UR-000015 The Act as part of the operating system user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000025 The Allow log on locally user right must only be assigned to the Administrators and Users groups. The following users have too many rights: DESKTOP-VSBMIM9\Guest, BUILTIN\Backup Operators False
WN10-UR-000030 The Back up files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000035 The Change the system time user right must only be assigned to Administrators and Local Service. Compliant True
WN10-UR-000040 The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000045 The Create a token object user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000050 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000055 The Create permanent shared objects user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000065 The Debug programs user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000070 MW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000070 SW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000075 MW The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000080 MW The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 MW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 SW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000090 MW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000090 SW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have don't have the rights: False
WN10-UR-000100 The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000105 The Generate security audits user right must only be assigned to Local Service and Network Service. Compliant True
WN10-UR-000110 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000115 The Increase scheduling priority user right must only be assigned to the Administrators group. The following users have too many rights: Window Manager\Window Manager Group False
WN10-UR-000120 The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000125 The Lock pages in memory user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000130 The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000140 The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000145 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000150 The Profile single process user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000160 The Restore files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000165 The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True

Account Policies^

Id Task Message Audit
WN10-AC-000005 Windows 10 account lockout duration must be configured to 15 minutes or greater. Currently not set. False
WN10-AC-000010 The number of allowed bad logon attempts must be configured to 3 or less. Currently set to: 0. Expected: not equal 0 False
WN10-AC-000015 The period of time before the bad logon counter is reset must be configured to 15 minutes. Currently not set. False
WN10-AC-000020 The password history must be configured to 24 passwords remembered. Currently set to: 0. Expected: greater than or equal 24 False
WN10-AC-000025 The maximum password age must be configured to 60 days or less. Compliant True
WN10-AC-000030 The minimum password age must be configured to at least 1 day. Currently set to: 0. Expected: greater than or equal 1 False
WN10-AC-000035 Passwords must, at a minimum, be 14 characters. Currently set to: 0. Expected: greater than or equal 14 False
WN10-AC-000040 The built-in Microsoft password complexity filter must be enabled. Currently set to: 0. Expected: equals 1 False
WN10-AC-000045 Reversible password encryption must be disabled. Compliant True
WN10-SO-000140 Anonymous SID/Name translation must not be allowed. Compliant True

Windows Features^

Id Task Message Audit
WN10-00-000100 Internet Information System (IIS) or its subcomponents must not be installed on a workstation. Compliant True
WN10-00-000110 Simple TCP/IP Services must not be installed on the system. Compliant True
WN10-00-000115 The Telnet Client must not be installed on the system. Compliant True
WN10-00-000120 The TFTP Client must not be installed on the system. Compliant True

File System Permissions^

Id Task Message Audit
WN10-AU-000515 Permissions for the Application event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000520 Permissions for the Security event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000525 Permissions for the System event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False

Registry Permissions^

Id Task Message Audit
WN10-RG-000005 A Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Compliant True
WN10-RG-000005 B Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False
WN10-RG-000005 C Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False

CIS Benchmarks^

This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet.

Registry Settings/Group Policies^

Id Task Message Audit
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' Registry value not found. False
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' Compliant True
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Registry value not found. False
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Registry value not found. False
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' Compliant True
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' Compliant True
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' Compliant True
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' Compliant True
2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' Registry value not found. False
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' Registry value not found. False
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' Registry value not found. False
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' Compliant True
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' Registry value is ''. Expected: pattern match .+ False
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' Registry value is '10'. Expected: pattern match ^[43210]$ False
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Compliant True
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher Registry value is '0'. Expected: pattern match ^(1|2|3)$ False
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' Compliant True
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' Compliant True
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' Compliant True
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' Compliant True
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher Registry value not found. False
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' Compliant True
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' Compliant True
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' Registry value is ''. Expected: equals False
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' Compliant True
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' Compliant True
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' Compliant True
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' Registry value not found. False
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' Compliant True
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' Registry value not found. False
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' Registry value not found. False
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' Registry key not found. False
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' Registry key not found. Registry key not found. False
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' Compliant True
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' Registry value not found. False
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher Compliant True
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: equals 537395200 False
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: equals 537395200 False
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher Registry value not found. False
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' Compliant True
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' Compliant True
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' Registry value not found. False
2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' Compliant True
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' Registry value is '5'. Expected: equals 2 False
2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' Registry value is '3'. Expected: equals 0 False
2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' Compliant True
2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' Compliant True
2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' Compliant True
2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' Compliant True
2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' Compliant True
5.1 (L2) Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled' Registry key not found. False
5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' Compliant True
5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.6 (L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled' Compliant True
5.7 (L1) Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled' Compliant True
5.8 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' Compliant True
5.9 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.10 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.11 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.12 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' Compliant True
5.13 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.14 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.15 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.16 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.17 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.18 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' Compliant True
5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' Compliant True
5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' Compliant True
5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' Compliant True
5.30 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.31 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.32 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' Compliant True
5.33 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.34 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.35 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' Registry value found. Registry value is '3'. Expected: equals 4 False
5.36 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.37 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.38 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.39 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.40 (L2) Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.43 (L1) Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled' Registry key not found. False
5.44 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.45 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.46 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' Registry key not found. False
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' Registry key not found. False
18.1.2.2 (L1) Ensure 'Allow input personalization' is set to 'Disabled' Registry key not found. False
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' Registry value not found. False
18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed Registry key not found. Registry key not found. False
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' Registry key not found. False
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' Registry key not found. False
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' Registry key not found. False
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' Registry key not found. False
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' Registry key not found. False
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' Registry value not found. False
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' Registry key not found. False
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Registry value not found. False
18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' Registry value not found. False
18.3.5 (L1) Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled' Registry key not found. False
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' Registry value not found. False
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' Compliant True
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' Registry value not found. False
18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' Registry value not found. False
18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' Registry value not found. False
18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' Registry value not found. False
18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' Registry value not found. False
18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' Registry value not found. False
18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Registry value not found. False
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Registry value not found. False
18.5.4.1 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') Registry value not found. False
18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' Registry key not found. False
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' Registry value not found. False
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' Registry key not found. False
18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry key not found. False
18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry key not found. False
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' Registry value not found. False
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' Registry value is ''. Expected: pattern match [Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1.*[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1 False
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') Registry value not found. False
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry key not found. False
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' Registry key not found. False
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' Registry value not found. False
18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' Registry value not found. False
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' Registry value not found. False
18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' Registry key not found. False
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' Registry key not found. False
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' Registry key not found. False
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' Registry key not found. False
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' Registry key not found. False
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' Registry key not found. False
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' Registry key not found. False
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' Registry key not found. False
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' Registry key not found. False
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' Registry key not found. False
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' Registry key not found. False
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' Registry value not found. False
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' Compliant. Registry value not found. True
18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' Registry key not found. False
18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' Registry key not found. False
18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' Registry key not found. False
18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' Registry value not found. False
18.8.22.1.7 (L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' Registry key not found. False
18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' Registry value not found. False
18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Registry value not found. False
18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Registry key not found. False
18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' Registry key not found. False
18.8.26.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' Registry key not found. False
18.8.27.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' Registry value not found. False
18.8.27.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' Registry value not found. False
18.8.27.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' Registry value not found. False
18.8.27.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' Registry value not found. False
18.8.27.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' Registry value not found. False
18.8.27.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' Registry value not found. False
18.8.27.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' Registry value not found. False
18.8.33.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' Registry key not found. False
18.8.33.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.33.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' Registry key not found. False
18.8.33.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.33.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' Registry key not found. False
18.8.33.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' Registry key not found. False
18.8.35.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.36.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' Registry key not found. False
18.8.36.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' Registry key not found. False
18.8.44.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' Registry key not found. False
18.8.44.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' Registry key not found. False
18.8.46.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' Registry key not found. False
18.8.49.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' Registry key not found. False
18.8.49.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' Registry key not found. False
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' Registry key not found. False
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' Registry value not found. False
18.9.6.2 (L2) Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled' Registry value not found. False
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Registry key not found. False
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' Registry value not found. False
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' Registry value not found. False
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' Registry key not found. False
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' Registry key not found. False
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' Registry key not found. False
18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.11 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.12 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.13 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.1.14 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' Registry key not found. False
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' Registry key not found. False
18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' Registry key not found. False
18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' Registry key not found. False
18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.11 (BL) Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters' Registry key not found. False
18.9.11.2.12 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled' Registry key not found. False
18.9.11.2.13 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.14 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.15 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.2.16 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' Registry key not found. False
18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.19 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM' Registry key not found. False
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM' Registry key not found. False
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM' Registry key not found. False
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM' Registry key not found. False
18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' Registry key not found. False
18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.11 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.12 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.13 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.3.14 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' Registry key not found. False
18.9.11.3.15 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.16 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' Registry key not found. False
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' Registry key not found. False
18.9.11.4 (BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled: XTS-AES 256-bit' Registry key not found. False
18.9.11.5 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' Registry key not found. False
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' Registry key not found. False
18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' Registry key not found. False
18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled' Registry key not found. False
18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' Registry key not found. False
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' Registry key not found. False
18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' Registry value not found. diff --git a/Skype4Business2016Audit/MS_Skype4Business_2016_DISA_STIG_V1R1.psd1 b/Skype4Business2016Audit/MS_Skype4Business_2016_DISA_STIG_V1R1.psd1 deleted file mode 100644 index 9c31823b..00000000 --- a/Skype4Business2016Audit/MS_Skype4Business_2016_DISA_STIG_V1R1.psd1 +++ /dev/null @@ -1,28 +0,0 @@ -# Requirements for Microsoft Skype for Business 2016 DISA STIG V1R1 -# Created at 03/25/2019 18:07:12 - -@{ - RegistrySettings = @( - @{ - Id = "DTOO420" - Task = "The ability to store user passwords in Skype must be disabled." - Path = "HKLM:\Software\Policies\Microsoft\office\16.0\lync" - Name = "savepassword" - Value = 0 - } - @{ - Id = "DTOO421" - Task = "Session Initiation Protocol (SIP) security mode must be configured." - Path = "HKLM:\Software\Policies\Microsoft\office\16.0\lync" - Name = "enablesiphighsecuritymode" - Value = 1 - } - @{ - Id = "DTOO422" - Task = "In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP." - Path = "HKLM:\Software\Policies\Microsoft\office\16.0\lync" - Name = "disablehttpconnect" - Value = 1 - } - ) -} diff --git a/Skype4Business2016Audit/README.md b/Skype4Business2016Audit/README.md deleted file mode 100644 index 3091f058..00000000 --- a/Skype4Business2016Audit/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Skype for Business 2016 Audit - -based on -* _DISA Microsoft Skype for Business 2016 Security Technical Implementation Guide V1R1 2016-11-14_ - -## Overview - -The `Skype4Business2016Audit`-Module benchmarks the current Microsoft Skype for Business 2016 settings with current hardening standards from DISA. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Microsoft Skype for Business 2016** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -### Loading the Skype for Business 2016 Audit module - -You only need to import the module when you haven't installed it. - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Skype4Business2016Audit -Verbose -``` -3. Generate a report with `Get-Skype4Business2016HtmlReport` For example: -```PowerShell -Get-Skype4Business2016HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. \ No newline at end of file diff --git a/Skype4Business2016Audit/Settings.psd1 b/Skype4Business2016Audit/Settings.psd1 deleted file mode 100644 index 26b65a4e..00000000 --- a/Skype4Business2016Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Skype 4 Business Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/Skype4Business2016Audit/Skype4Business2016Audit.psd1 b/Skype4Business2016Audit/Skype4Business2016Audit.psd1 deleted file mode 100644 index f187f660..00000000 --- a/Skype4Business2016Audit/Skype4Business2016Audit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'Skype4Business2016Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = 'c0592445-3437-4736-9f38-f35504de3fb8' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Microsoft Skype for Business 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'skype', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/Skype4Business2016Audit/Skype4Business2016Audit.psm1 b/Skype4Business2016Audit/Skype4Business2016Audit.psm1 deleted file mode 100644 index 3c12f1f9..00000000 --- a/Skype4Business2016Audit/Skype4Business2016Audit.psm1 +++ /dev/null @@ -1,429 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "MS_Skype4Business_2016_DISA_STIG_V1R1.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-Skype4Business2016HtmlReport` cmdlet tests Microsoft Skype for Business 2016 settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-Skype4Business2016HtmlReport -Path "reports/report1.html" -#> -function Save-Skype4Business2016HtmlReport { - param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Microsoft Skype for Business 2016 Audit Report" ` - -ModuleName "Excel2016Audit" ` - -BasedOn "DISA Microsoft Skype for Business 2016 Security Technical Implementation Guide V1R1 2016-11-14" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-Skype4Business2016HtmlReport -Value Save-Skype4Business2016HtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-Skype4Business2016HtmlReport -Set-Alias -Name shr -Value Save-Skype4Business2016HtmlReport -#endregion \ No newline at end of file diff --git a/Windows10Audit/README.md b/Windows10Audit/README.md deleted file mode 100644 index 23ba12dc..00000000 --- a/Windows10Audit/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Windows 10 Audit - -based on -* _Windows 10 Security Technical Implementation Guide V1R16 2019-01-25_ - -## Overview - -The `Windows10Audit`-Module benchmarks the current systems settings with current hardening standards from the DISA Security Technical Implementation Guide. This module is designed for Windows 10. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Windows 10** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](https://github.com/fbprogmbh/Audit-Test-Automation/tree/master/ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the Windows 10 Audit module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Windows10Audit -Verbose -``` -3. Generate a report with `Get-Windows10HtmlReport` For example: -```PowerShell -Get-Windows10HtmlReport -Path "MyReport.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. - -## Remarks - -At the moment, all negative audit status results are written as an error on the command line. If your system hasn't been hardened yet, the script will therefore write a lot of errors. -Script runs a while - do not be impatient and expect the HTML report with pleasant anticipation. diff --git a/Windows10Audit/Settings.psd1 b/Windows10Audit/Settings.psd1 deleted file mode 100644 index 4bf2dc73..00000000 --- a/Windows10Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "audit@example.com" - MailFrom = "Windows 10 Audit Error Reporting" - Encoding = "UTF8" - User = "audit@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs\auditreport.log" - - LegalNoticeTitle = "MyCompanyName" - LegalNoticeText = "Be sure to comply with the guidelines for administrators." -} \ No newline at end of file diff --git a/Windows10Audit/Win10_CIS_V1.4.0.psd1 b/Windows10Audit/Win10_CIS_V1.4.0.psd1 deleted file mode 100644 index de16128d..00000000 --- a/Windows10Audit/Win10_CIS_V1.4.0.psd1 +++ /dev/null @@ -1,8341 +0,0 @@ -@{ - Version = "2.0" - RegistrySettings = @( - @{ - Id = "2.3.1.2" - Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "NoConnectedUser" - ValueData = @{ - Operation = "equals" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.1.4" - Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "LimitBlankPasswordUse" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.2.1" - Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "SCENoApplyLegacyAuditPolicy" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.2.2" - Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "CrashOnAuditFail" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.4.1" - Task = "(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "AllocateDASD" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_sz" - } - } - @{ - Id = "2.3.4.2" - Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" - ValueName = "AddPrinterDrivers" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.6.1" - Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "RequireSignOrSeal" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.6.2" - Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "SealSecureChannel" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.6.3" - Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "SignSecureChannel" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.6.4" - Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "DisablePasswordChange" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.6.5" - Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "MaximumPasswordAge" - ValueData = @{ - Operation = "greater than" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "MaximumPasswordAge" - ValueData = @{ - Operation = "less than or equal" - Value = "30" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "2.3.6.6" - Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" - ValueName = "RequireStrongKey" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.7.1" - Task = "(L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "DontDisplayLastUserName" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.7.2" - Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "DisableCAD" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.7.3" - Task = "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "MaxDevicePasswordFailedAttempts" - ValueData = @{ - Operation = "less than or equal" - Value = "10" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "MaxDevicePasswordFailedAttempts" - ValueData = @{ - Operation = "greater than" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "2.3.7.4" - Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "InactivityTimeoutSecs" - ValueData = @{ - Operation = "less than or equal" - Value = "900" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "InactivityTimeoutSecs" - ValueData = @{ - Operation = "not equal" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "2.3.7.5" - Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "LegalNoticeText" - ValueData = @{ - Operation = "pattern match" - Value = ".+" - } - ValueType = "reg_sz" - } - } - @{ - Id = "2.3.7.6" - Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "LegalNoticeCaption" - ValueData = @{ - Operation = "pattern match" - Value = ".+" - } - ValueType = "reg_sz" - } - } - @{ - Id = "2.3.7.7" - Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "CachedLogonsCount" - ValueData = @{ - Operation = "pattern match" - Value = "^[43210]$" - } - ValueType = "reg_sz" - } - } - @{ - Id = "2.3.7.8" - Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "PasswordExpiryWarning" - ValueData = @{ - Operation = "less than or equal" - Value = "14" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "passwordexpirywarning" - ValueData = @{ - Operation = "greater than or equal" - Value = "5" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "2.3.7.9" - Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "ScRemoveOption" - ValueData = @{ - Operation = "pattern match" - Value = "^(1|2|3)$" - } - ValueType = "reg_sz" - } - } - @{ - Id = "2.3.8.1" - Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" - ValueName = "RequireSecuritySignature" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.8.2" - Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" - ValueName = "EnableSecuritySignature" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.8.3" - Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" - ValueName = "EnablePlainTextPassword" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.9.1" - Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "AutoDisconnect" - ValueData = @{ - Operation = "less than or equal" - Value = "15" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "AutoDisconnect" - ValueData = @{ - Operation = "not equal" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "2.3.9.2" - Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "RequireSecuritySignature" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.9.3" - Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "EnableSecuritySignature" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.9.4" - Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "enableforcedlogoff" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.9.5" - Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "SMBServerNameHardeningLevel" - ValueData = @{ - Operation = "greater than or equal" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.10.2" - Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "RestrictAnonymousSAM" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.10.3" - Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "RestrictAnonymous" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.10.4" - Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "DisableDomainCreds" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.10.5" - Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "EveryoneIncludesAnonymous" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.10.6" - Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "NullSessionPipes" - ValueData = @{ - Operation = "equals" - Value = @() - } - ValueType = "reg_multi_sz" - } - } - @{ - Id = "2.3.10.7" - Task = "(L1) Ensure 'Network access: Remotely accessible registry paths'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" - ValueName = "Machine" - ValueData = @{ - Operation = "equals" - Value = @( - "System\CurrentControlSet\Control\ProductOptions" - "System\CurrentControlSet\Control\Server Applications" - "Software\Microsoft\Windows NT\CurrentVersion" - ) - } - ValueType = "reg_multi_sz" - } - } - @{ - Id = "2.3.10.8" - Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" - ValueName = "Machine" - ValueData = @{ - Operation = "equals" - Value = @( - "System\CurrentControlSet\Control\Print\Printers" - "System\CurrentControlSet\Services\Eventlog" - "Software\Microsoft\OLAP Server" - "Software\Microsoft\Windows NT\CurrentVersion\Print" - "Software\Microsoft\Windows NT\CurrentVersion\Windows" - "System\CurrentControlSet\Control\ContentIndex" - "System\CurrentControlSet\Control\Terminal Server" - "System\CurrentControlSet\Control\Terminal Server\UserConfig" - "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" - "Software\Microsoft\Windows NT\CurrentVersion\Perflib" - "System\CurrentControlSet\Services\SysmonLog" - ) - } - ValueType = "reg_multi_sz" - } - } - @{ - Id = "2.3.10.9" - Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "RestrictNullSessAccess" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.10.10" - Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - ValueName = "restrictremotesam" - ValueData = @{ - Operation = "equals" - Value = "O:BAG:BAD:(A;;RC;;;BA)" - } - ValueType = "reg_sz" - } - } - @{ - Id = "2.3.10.11" - Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "NullSessionShares" - ValueData = $Null - ValueType = $Null - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters" - ValueName = "NullSessionShares" - ValueData = @{ - Operation = "pattern match" - Value = "^$" - } - ValueType = "reg_multi_sz" - } - ) - } - } - @{ - Id = "2.3.10.12" - Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "ForceGuest" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.1" - Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "UseMachineId" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.2" - Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" - ValueName = "AllowNullSessionFallback" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.3" - Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa\pku2u" - ValueName = "AllowOnlineID" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.4" - Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" - ValueName = "SupportedEncryptionTypes" - ValueData = @{ - Operation = "equals" - Value = "2147483644" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" - ValueName = "SupportedEncryptionTypes" - ValueData = @{ - Operation = "equals" - Value = "2147483640" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "2.3.11.5" - Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "NoLMHash" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.7" - Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa" - ValueName = "LmCompatibilityLevel" - ValueData = @{ - Operation = "equals" - Value = "5" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.8" - Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\LDAP" - ValueName = "LDAPClientIntegrity" - ValueData = @{ - Operation = "greater than or equal" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.9" - Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" - ValueName = "NTLMMinClientSec" - ValueData = @{ - Operation = "equals" - Value = "537395200" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.11.10" - Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" - ValueName = "NTLMMinServerSec" - ValueData = @{ - Operation = "equals" - Value = "537395200" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.14.1" - Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Cryptography" - ValueName = "ForceKeyProtection" - ValueData = @{ - Operation = "greater than or equal" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.15.1" - Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Session Manager\Kernel" - ValueName = "ObCaseInsensitive" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.15.2" - Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Control\Session Manager" - ValueName = "ProtectionMode" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.1" - Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "FilterAdministratorToken" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.2" - Task = "(L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "EnableUIADesktopToggle" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.3" - Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "ConsentPromptBehaviorAdmin" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.4" - Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "ConsentPromptBehaviorUser" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.5" - Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "EnableInstallerDetection" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.6" - Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "EnableSecureUIAPaths" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.7" - Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "EnableLUA" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.8" - Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "PromptOnSecureDesktop" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "2.3.17.9" - Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "EnableVirtualization" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.1" - Task = "(L2) Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\BthHFSrv" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.2" - Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\bthserv" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.3" - Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\Browser" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\Browser" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.4" - Task = "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.5" - Task = "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.6" - Task = "(L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\HomeGroupListener" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\HomeGroupListener" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.7" - Task = "(L1) Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\HomeGroupProvider" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\HomeGroupProvider" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.8" - Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.9" - Task = "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\irmon" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.10" - Task = "(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.11" - Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.12" - Task = "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.13" - Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.14" - Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.15" - Task = "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.16" - Task = "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.17" - Task = "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.18" - Task = "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.19" - Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.20" - Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.21" - Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.22" - Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\TermService" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.23" - Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.24" - Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.25" - Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.26" - Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.27" - Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.28" - Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\simptcp" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\simptcp" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.29" - Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.30" - Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.31" - Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\upnphost" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.32" - Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.33" - Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.34" - Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.35" - Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "5.36" - Task = "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\icssvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.37" - Task = "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WpnService" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.38" - Task = "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.39" - Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\WinRM" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.40" - Task = "(L2) Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\InstallService" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.41" - Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC" - ValueName = "Start" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "5.42" - Task = "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.43" - Task = "(L1) Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\xbgm" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.44" - Task = "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.45" - Task = "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "5.46" - Task = "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - # @{ - # Id = "9.1.1" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" - # ValueName = "EnableFirewall" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.1.2" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" - # ValueName = "DefaultInboundAction" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.1.3" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" - # ValueName = "DefaultOutboundAction" - # ValueData = @{ - # Operation = "equals" - # Value = "0" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.1.4" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" - # ValueName = "DisableNotifications" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.1.5" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" - # ValueName = "LogFilePath" - # ValueData = @{ - # Operation = "equals" - # Value = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log" - # } - # ValueType = "reg_sz" - # } - # } - # @{ - # Id = "9.1.6" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" - # ValueName = "LogFileSize" - # ValueData = @{ - # Operation = "greater than or equal" - # Value = "16384" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.1.7" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" - # ValueName = "LogDroppedPackets" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.1.8" - # Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" - # ValueName = "LogSuccessfulConnections" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.1" - # Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" - # ValueName = "EnableFirewall" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.2" - # Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" - # ValueName = "DefaultInboundAction" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.3" - # Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" - # ValueName = "DefaultOutboundAction" - # ValueData = @{ - # Operation = "equals" - # Value = "0" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.4" - # Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" - # ValueName = "DisableNotifications" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.5" - # Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" - # ValueName = "LogFilePath" - # ValueData = @{ - # Operation = "equals" - # Value = "%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log" - # } - # ValueType = "reg_sz" - # } - # } - # @{ - # Id = "9.2.6" - # Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" - # ValueName = "LogFileSize" - # ValueData = @{ - # Operation = "greater than or equal" - # Value = "16384" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.7" - # Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" - # ValueName = "LogDroppedPackets" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.2.8" - # Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" - # ValueName = "LogSuccessfulConnections" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.1" - # Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" - # ValueName = "EnableFirewall" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.2" - # Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" - # ValueName = "DefaultInboundAction" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.3" - # Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" - # ValueName = "DefaultOutboundAction" - # ValueData = @{ - # Operation = "equals" - # Value = "0" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.4" - # Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" - # ValueName = "DisableNotifications" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.5" - # Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" - # ValueName = "AllowLocalPolicyMerge" - # ValueData = @{ - # Operation = "equals" - # Value = "0" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.6" - # Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" - # ValueName = "AllowLocalIPsecPolicyMerge" - # ValueData = @{ - # Operation = "equals" - # Value = "0" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.7" - # Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" - # ValueName = "LogFilePath" - # ValueData = @{ - # Operation = "equals" - # Value = "%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log" - # } - # ValueType = "reg_sz" - # } - # } - # @{ - # Id = "9.3.8" - # Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" - # ValueName = "LogFileSize" - # ValueData = @{ - # Operation = "greater than or equal" - # Value = "16384" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.9" - # Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" - # ValueName = "LogDroppedPackets" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "9.3.10" - # Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" - # ValueName = "LogSuccessfulConnections" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - @{ - Id = "18.1.1.1" - Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Personalization" - ValueName = "NoLockScreenCamera" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.1.1.2" - Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Personalization" - ValueName = "NoLockScreenSlideshow" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.1.2.2" - Task = "(L1) Ensure 'Allow input personalization' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization" - ValueName = "AllowInputPersonalization" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.1.3" - Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "AllowOnlineTips" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.2.1" - Task = "(L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}" - ValueName = "DllName" - ValueData = @{ - Operation = "equals" - Value = "C:\Program Files\LAPS\CSE\AdmPwd.dll" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}" - ValueName = "DllName" - ValueData = @{ - Operation = "equals" - Value = "C:\Program Files\LAPS\CSE\AdmPwd.dll" - } - ValueType = "reg_expand_sz" - } - ) - } - } - @{ - Id = "18.2.2" - Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - ValueName = "PwdExpirationProtectionEnabled" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.2.3" - Task = "(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - ValueName = "AdmPwdEnabled" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.2.4" - Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - ValueName = "PasswordComplexity" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.2.5" - Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - ValueName = "PasswordLength" - ValueData = @{ - Operation = "greater than or equal" - Value = "15" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.2.6" - Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - ValueName = "PasswordAgeDays" - ValueData = @{ - Operation = "less than or equal" - Value = "30" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.3.1" - Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "LocalAccountTokenFilterPolicy" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.3.2" - Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" - ValueName = "Start" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.3.3" - Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" - ValueName = "SMB1" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.3.4" - Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" - ValueName = "DisableExceptionChainValidation" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.3.5" - Task = "(L1) Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" - ValueName = "MpEnablePus" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.3.6" - Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" - ValueName = "UseLogonCredential" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.1" - Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "AutoAdminLogon" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.4.2" - Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters" - ValueName = "DisableIPSourceRouting" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.3" - Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" - ValueName = "DisableIPSourceRouting" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.4" - Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\RasMan\Parameters" - ValueName = "disablesavepassword" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.5" - Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" - ValueName = "EnableICMPRedirect" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.6" - Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" - ValueName = "KeepAliveTime" - ValueData = @{ - Operation = "equals" - Value = "300000" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.7" - Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\NetBT\Parameters" - ValueName = "nonamereleaseondemand" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.8" - Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" - ValueName = "PerformRouterDiscovery" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.9" - Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" - ValueName = "SafeDllSearchMode" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.10" - Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - ValueName = "ScreenSaverGracePeriod" - ValueData = @{ - Operation = "less than or equal" - Value = "5" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.4.11" - Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters" - ValueName = "tcpmaxdataretransmissions" - ValueData = @{ - Operation = "equals" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.12" - Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" - ValueName = "tcpmaxdataretransmissions" - ValueData = @{ - Operation = "equals" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.4.13" - Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security" - ValueName = "WarningLevel" - ValueData = @{ - Operation = "less than or equal" - Value = "90" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.4.1" - Task = "(L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Services\Netbt\Parameters" - ValueName = "NodeType" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.4.2" - Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" - ValueName = "EnableMulticast" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.5.1" - Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - ValueName = "EnableFontProviders" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.8.1" - Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" - ValueName = "AllowInsecureGuestAuth" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.9.1" - Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "AllowLLTDIOOnDomain" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "ProhibitLLTDIOOnPrivateNet" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "EnableLLTDIO" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "AllowLLTDIOOnPublicNet" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.5.9.2" - Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "AllowRspndrOnDomain" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "ProhibitRspndrOnPrivateNet" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "EnableRspndr" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\LLTD" - ValueName = "AllowRspndrOnPublicNet" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.5.10.2" - Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Peernet" - ValueName = "Disabled" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.11.2" - Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" - ValueName = "NC_AllowNetBridge_NLA" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.11.3" - Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" - ValueName = "NC_ShowSharedAccessUI" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.11.4" - Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Network Connections" - ValueName = "NC_StdDomainUserSetLocation" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.14.1" - Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" - ValueName = "\\*\NETLOGON" - ValueData = @{ - Operation = "pattern match" - Value = "[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1.*[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" - ValueName = "\\*\SYSVOL" - ValueData = @{ - Operation = "pattern match" - Value = "[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1.*[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1" - } - ValueType = "reg_sz" - } - ) - } - } - @{ - Id = "18.5.19.2.1" - Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" - ValueName = "DisabledComponents" - ValueData = @{ - Operation = "equals" - Value = "255" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.20.1" - Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WCN\Registrars" - ValueName = "EnableRegistrars" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WCN\Registrars" - ValueName = "DisableWPDRegistrar" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WCN\Registrars" - ValueName = "DisableFlashConfigRegistrar" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WCN\Registrars" - ValueName = "DisableInBand802DOT11Registrar" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WCN\Registrars" - ValueName = "DisableUPnPRegistrar" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.5.20.2" - Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WCN\UI" - ValueName = "DisableWcnUi" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.21.1" - Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" - ValueName = "fMinimizeConnections" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.21.2" - Task = "(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" - ValueName = "fBlockNonDomain" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.5.23.2.1" - Task = "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" - ValueName = "AutoConnectAllowedOEM" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.3.1" - Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" - ValueName = "ProcessCreationIncludeCmdLine_Enabled" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.4.1" - Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" - ValueName = "AllowProtectedCreds" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.5.1" - Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - ValueName = "EnableVirtualizationBasedSecurity" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.5.2" - Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - ValueName = "RequirePlatformSecurityFeatures" - ValueData = @{ - Operation = "equals" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.5.3" - Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - ValueName = "HypervisorEnforcedCodeIntegrity" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.5.4" - Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - ValueName = "HVCIMATRequired" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.5.5" - Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - ValueName = "LsaCfgFlags" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.7.1.1" - Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" - ValueName = "DenyDeviceIDs" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.7.1.2" - Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" - ValueName = "1" - ValueData = @{ - Operation = "equals" - Value = "PCI\CC_0C0A" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.8.7.1.3" - Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" - ValueName = "DenyDeviceIDsRetroactive" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.7.1.4" - Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" - ValueName = "DenyDeviceClasses" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ # BUGS - Id = "18.8.7.1.5" - Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" - ValueName = "1" - ValueData = @{ - Operation = "equals" - Value = "{d48179be-ec20-11d1-b6b8-00c04fa372a7}" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" - ValueName = "2" - ValueData = @{ - Operation = "equals" - Value = "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" - ValueName = "3" - ValueData = @{ - Operation = "equals" - Value = "{c06ff265-ae09-48f0-812c-16753d7cba83}" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" - ValueName = "4" - ValueData = @{ - Operation = "equals" - Value = "{6bdd1fc1-810f-11d0-bec7-08002be2092f}" - } - ValueType = "reg_sz" - } - ) - } - } - @{ - Id = "18.8.7.1.6" - Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" - ValueName = "DenyDeviceClassesRetroactive" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.14.1" - Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Policies\EarlyLaunch" - ValueName = "DriverLoadPolicy" - ValueData = @{ - Operation = "equals" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.21.2" - Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" - ValueName = "NoBackgroundPolicy" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.21.3" - Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" - ValueName = "NoGPOListChanges" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.21.4" - Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - ValueName = "EnableCdp" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.21.5" - Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "DisableBkGndGroupPolicy" - ValueData = $Null - ValueType = $Null - } - } - @{ - Id = "18.8.22.1.1" - Task = "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" - ValueName = "NoUseStoreOpenWith" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.2" - Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers" - ValueName = "DisableWebPnPDownload" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.3" - Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\TabletPC" - ValueName = "PreventHandwritingDataSharing" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.4" - Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\HandwritingErrorReports" - ValueName = "PreventHandwritingErrorReports" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.5" - Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard" - ValueName = "ExitOnMSICW" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.6" - Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "NoWebServices" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.7" - Task = "(L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers" - ValueName = "DisableHTTPPrinting" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.8" - Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control" - ValueName = "NoRegistration" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.9" - Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\SearchCompanion" - ValueName = "DisableContentFileUpdates" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.10" - Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "NoOnlinePrintsWizard" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.11" - Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "NoPublishingWizard" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.12" - Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Messenger\Client" - ValueName = "CEIP" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.13" - Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\SQMClient\Windows" - ValueName = "CEIPEnable" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.22.1.14" - Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting" - ValueName = "Disabled" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" - ValueName = "DoReport" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.8.25.1" - Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" - ValueName = "DevicePKInitBehavior" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" - ValueName = "DevicePKInitEnabled" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.8.26.1" - Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Control Panel\International" - ValueName = "BlockUserInputMethodsForSignIn" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.1" - Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - ValueName = "BlockUserFromShowingAccountDetailsOnSignin" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.2" - Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "DontDisplayNetworkSelectionUI" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.3" - Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "DontEnumerateConnectedUsers" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.4" - Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "EnumerateLocalUsers" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.5" - Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "DisableLockScreenAppNotifications" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.6" - Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "BlockDomainPicturePassword" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.27.7" - Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "AllowDomainPINLogon" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.33.6.1" - Task = "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" - ValueName = "DCSettingIndex" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.33.6.2" - Task = "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" - ValueName = "ACSettingIndex" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.33.6.3" - Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" - ValueName = "DCSettingIndex" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.33.6.4" - Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" - ValueName = "ACSettingIndex" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.33.6.5" - Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" - ValueName = "DCSettingIndex" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.33.6.6" - Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" - ValueName = "ACSettingIndex" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.35.1" - Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fAllowUnsolicited" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.35.2" - Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fAllowToGetHelp" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.36.1" - Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows NT\Rpc" - ValueName = "EnableAuthEpResolution" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.36.2" - Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows NT\Rpc" - ValueName = "RestrictRemoteClients" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.44.5.1" - Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" - ValueName = "DisableQueryRemoteServer" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.44.11.1" - Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" - ValueName = "ScenarioExecutionEnabled" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.46.1" - Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\policies\Microsoft\Windows\AdvertisingInfo" - ValueName = "DisabledByGroupPolicy" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.49.1.1" - Task = "(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" - ValueName = "Enabled" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.8.49.1.2" - Task = "(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" - ValueName = "Enabled" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.4.1" - Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" - ValueName = "AllowSharedLocalAppData" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.6.1" - Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "MSAOptional" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.6.2" - Task = "(L2) Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "BlockHostedAppAccessWinRT" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.8.1" - Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Explorer" - ValueName = "NoAutoplayfornonVolume" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.8.2" - Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "NoAutorun" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.8.3" - Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "NoDriveTypeAutoRun" - ValueData = @{ - Operation = "equals" - Value = "255" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.10.1.1" - Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" - ValueName = "EnhancedAntiSpoofing" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.1" - Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "FDVDiscoveryVolumeType" - ValueData = @{ - Operation = "equals" - Value = "" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.11.1.2" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVRecovery" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.3" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVManageDRA" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.4" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVRecoveryPassword" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.5" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVRecoveryKey" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.6" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVHideRecoveryPage" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.7" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVActiveDirectoryBackup" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.8" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVActiveDirectoryInfoToStore" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.9" - Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVRequireActiveDirectoryBackup" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.10" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVHardwareEncryption" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.11" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVAllowSoftwareEncryptionFailover" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.12" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVRestrictHardwareEncryptionAlgorithms" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.13" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "FDVAllowedHardwareEncryptionAlgorithms" - ValueData = @{ - Operation = "equals" - Value = "2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42" - } - ValueType = "reg_expand_sz" - } - } - @{ - Id = "18.9.11.1.14" - Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "FDVPassphrase" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.15" - Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "FDVAllowUserCert" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.1.16" - Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "FDVEnforceUserCert" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.1" - Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "UseEnhancedPin" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.2" - Task = "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "OSAllowSecureBootForIntegrity" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.3" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSRecovery" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.4" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSManageDRA" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.5" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSRecoveryPassword" - ValueData = @{ - Operation = "equals" - Value = "2" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.6" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSRecoveryKey" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.7" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSHideRecoveryPage" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.8" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSActiveDirectoryBackup" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.9" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSActiveDirectoryInfoToStore" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.10" - Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSRequireActiveDirectoryBackup" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.11" - Task = "(BL) Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "MinimumPIN" - ValueData = @{ - Operation = "greater than or equal" - Value = "7" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.12" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSHardwareEncryption" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.13" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSAllowSoftwareEncryptionFailover" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.14" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSRestrictHardwareEncryptionAlgorithms" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.15" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "OSAllowedHardwareEncryptionAlgorithms" - ValueData = @{ - Operation = "equals" - Value = "2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42" - } - ValueType = "reg_expand_sz" - } - } - @{ - Id = "18.9.11.2.16" - Task = "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "OSPassphrase" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.17" - Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "UseAdvancedStartup" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.18" - Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "EnableBDEWithNoTPM" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.19" - Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "UseTPM" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.20" - Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "UseTPMPIN" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.21" - Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "UseTPMKey" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.2.22" - Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "UseTPMKeyPIN" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.1" - Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "RDVDiscoveryVolumeType" - ValueData = @{ - Operation = "equals" - Value = "" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.11.3.2" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVRecovery" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.3" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVManageDRA" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.4" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVRecoveryPassword" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.5" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVRecoveryKey" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.6" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVHideRecoveryPage" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.7" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVActiveDirectoryBackup" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.8" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVActiveDirectoryInfoToStore" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.9" - Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVRequireActiveDirectoryBackup" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.10" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVHardwareEncryption" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.11" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVAllowSoftwareEncryptionFailover" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.12" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVRestrictHardwareEncryptionAlgorithms" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.13" - Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "RDVAllowedHardwareEncryptionAlgorithms" - ValueData = @{ - Operation = "equals" - Value = "2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42" - } - ValueType = "reg_expand_sz" - } - } - @{ - Id = "18.9.11.3.14" - Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "RDVPassphrase" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.15" - Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "RDVAllowUserCert" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.16" - Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "RDVEnforceUserCert" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.17" - Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE" - ValueName = "RDVDenyWriteAccess" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.3.18" - Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\FVE" - ValueName = "RDVDenyCrossOrg" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.11.4" - Task = "(BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled: XTS-AES 256-bit'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "EncryptionMethodWithXtsFdv" - ValueData = @{ - Operation = "equals" - Value = "7" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "EncryptionMethodWithXtsRdv" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "EncryptionMethodWithXtsOs" - ValueData = @{ - Operation = "equals" - Value = "7" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.11.5" - Task = "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\FVE" - ValueName = "DisableExternalDMAUnderLock" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.12.1" - Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Camera" - ValueName = "AllowCamera" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.13.1" - Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" - ValueName = "DisableWindowsConsumerFeatures" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.14.1" - Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect" - ValueName = "RequirePinForPairing" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.15.1" - Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\CredUI" - ValueName = "DisablePasswordReveal" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.15.2" - Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" - ValueName = "EnumerateAdministrators" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.16.1" - Task = "(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DataCollection" - ValueName = "AllowTelemetry" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DataCollection" - ValueName = "AllowTelemetry" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.16.2" - Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" - ValueName = "DisableEnterpriseAuthProxy" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.16.3" - Task = "(L1) Ensure 'Disable pre-release features or settings' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" - ValueName = "EnableConfigFlighting" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.16.4" - Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" - ValueName = "DoNotShowFeedbackNotifications" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.16.5" - Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" - ValueName = "AllowBuildPreview" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.17.1" - Task = "(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\DeliveryOptimization" - ValueName = "DODownloadMode" - ValueData = @{ - Operation = "not equal" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.26.1.1" - Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application" - ValueName = "Retention" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.26.1.2" - Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application" - ValueName = "MaxSize" - ValueData = @{ - Operation = "greater than or equal" - Value = "32768" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.26.2.1" - Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security" - ValueName = "Retention" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.26.2.2" - Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security" - ValueName = "MaxSize" - ValueData = @{ - Operation = "greater than or equal" - Value = "196608" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.26.3.1" - Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup" - ValueName = "Retention" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.26.3.2" - Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup" - ValueName = "MaxSize" - ValueData = @{ - Operation = "greater than or equal" - Value = "32768" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.26.4.1" - Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\System" - ValueName = "Retention" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.26.4.2" - Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\EventLog\System" - ValueName = "MaxSize" - ValueData = @{ - Operation = "greater than or equal" - Value = "32768" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.30.2" - Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Explorer" - ValueName = "NoDataExecutionPrevention" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.30.3" - Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Explorer" - ValueName = "NoHeapTerminationOnCorruption" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.30.4" - Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - ValueName = "PreXPSP2ShellProtocolBehavior" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.35.1" - Task = "(L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\HomeGroup" - ValueName = "DisableHomeGroup" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.39.2" - Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" - ValueName = "DisableLocation" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.43.1" - Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging" - ValueName = "AllowMessageSync" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.44.1" - Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount" - ValueName = "DisableUserAuth" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.1" - Task = "(L2) Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI" - ValueName = "ShowOneBox" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.2" - Task = "(L2) Ensure 'Allow Adobe Flash' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons" - ValueName = "FlashPlayerEnabled" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.3" - Task = "(L2) Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" - ValueName = "AllowInPrivate" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.4" - Task = "(L1) Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" - ValueName = "Cookies" - ValueData = @{ - Operation = "less than or equal" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.5" - Task = "(L1) Ensure 'Configure Password Manager' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" - ValueName = "FormSuggest Passwords" - ValueData = @{ - Operation = "equals" - Value = "no" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.45.6" - Task = "(L2) Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" - ValueName = "AllowPopups" - ValueData = @{ - Operation = "equals" - Value = "yes" - } - ValueType = "reg_sz" - } - } - @{ - Id = "18.9.45.7" - Task = "(L2) Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" - ValueName = "ShowSearchSuggestionsGlobal" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.8" - Task = "(L1) Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security" - ValueName = "FlashClickToRunMode" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.9" - Task = "(L2) Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" - ValueName = "PreventAccessToAboutFlagsInMicrosoftEdge" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.45.10" - Task = "(L2) Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" - ValueName = "HideLocalHostIP" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.52.1" - Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\OneDrive" - ValueName = "DisableFileSyncNGSC" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.57.1" - Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall" - ValueName = "DisablePushToInstall" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.2.2" - Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "DisablePasswordSaving" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.2.1" - Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fDenyTSConnections" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.3.1" - Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fDisableCcm" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.3.2" - Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fDisableCdm" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.3.3" - Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fDisableLPT" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.3.4" - Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fDisablePNPRedir" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.9.1" - Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fPromptForPassword" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.9.2" - Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "fEncryptRPCTraffic" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.9.3" - Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "MinEncryptionLevel" - ValueData = @{ - Operation = "equals" - Value = "3" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.10.1" - Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "MaxIdleTime" - ValueData = @{ - Operation = "less than or equal" - Value = "900000" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "MaxIdleTime" - ValueData = @{ - Operation = "not equal" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.58.3.10.2" - Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "MaxDisconnectionTime" - ValueData = @{ - Operation = "equals" - Value = "60000" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.11.1" - Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "DeleteTempDirsOnExit" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.58.3.11.2" - Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services" - ValueName = "PerSessionTempDir" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.59.1" - Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" - ValueName = "DisableEnclosureDownload" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.60.2" - Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - ValueName = "AllowCloudSearch" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - ValueName = "AllowCloudSearch" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "18.9.60.3" - Task = "(L1) Ensure 'Allow Cortana' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - ValueName = "AllowCortana" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.60.4" - Task = "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - ValueName = "AllowCortanaAboveLock" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.60.5" - Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - ValueName = "AllowIndexingEncryptedStoresOrItems" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.60.6" - Task = "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - ValueName = "AllowSearchToUseLocation" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.65.1" - Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" - ValueName = "NoGenTicket" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.68.1" - Task = "(L2) Ensure 'Disable all apps from Windows Store' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" - ValueName = "DisableStoreApps" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.68.2" - Task = "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" - ValueName = "AutoDownload" - ValueData = @{ - Operation = "equals" - Value = "4" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.68.3" - Task = "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" - ValueName = "DisableOSUpgrade" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.68.4" - Task = "(L2) Ensure 'Turn off the Store application' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" - ValueName = "RemoveWindowsStore" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.3.1" - Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" - ValueName = "LocalSettingOverrideSpynetReporting" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.3.2" - Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet" - ValueName = "SpynetReporting" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "None" - Key = "HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet" - ValueName = "SpynetReporting" - ValueData = $Null - ValueType = $Null - } - ) - } - } - @{ - Id = "18.9.76.7.1" - Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" - ValueName = "DisableBehaviorMonitoring" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.9.1" - Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" - ValueName = "DisableGenericReports" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.10.1" - Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" - ValueName = "DisableRemovableDriveScanning" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.10.2" - Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" - ValueName = "DisableEmailScanning" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.13.1.1" - Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" - ValueName = "ExploitGuard_ASR_Rules" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.13.1.2" - Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "3b576869-a4ec-4529-8536-b80a7769e899" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "d3e037e1-3eb8-44c8-a917-57927947596d" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - ValueName = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_sz" - } - ) - } - } - @{ - Id = "18.9.76.13.3.1" - Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" - ValueName = "EnableNetworkProtection" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.76.14" - Task = "(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" - ValueName = "DisableAntiSpyware" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.77.1" - Task = "(NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI" - ValueName = "AuditApplicationGuard" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.77.2" - Task = "(NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI" - ValueName = "AllowPersistence" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.77.3" - Task = "(NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI" - ValueName = "AppHVSIClipboardSettings" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.77.4" - Task = "(NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI" - ValueName = "AllowAppHVSI_ProviderSet" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.79.1.1" - Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" - ValueName = "DisallowExploitProtectionOverride" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.80.1.1" - Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - ValueName = "ShellSmartScreenLevel" - ValueData = @{ - Operation = "equals" - Value = "Block" - } - ValueType = "reg_sz" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\System" - ValueName = "EnableSmartScreen" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.80.2.1" - Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" - ValueName = "EnabledV9" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.80.2.2" - Task = "(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" - ValueName = "PreventOverrideAppRepUnknown" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.80.2.3" - Task = "(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" - ValueName = "PreventOverride" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.82.1" - Task = "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" - ValueName = "AllowGameDVR" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.84.1" - Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" - ValueName = "AllowSuggestedAppsInWindowsInkWorkspace" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.84.2" - Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" - ValueName = "AllowWindowsInkWorkspace" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" - ValueName = "AllowWindowsInkWorkspace" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.85.1" - Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Installer" - ValueName = "EnableUserControl" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.85.2" - Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Installer" - ValueName = "AlwaysInstallElevated" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.85.3" - Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\Installer" - ValueName = "SafeForScripting" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.86.1" - Task = "(L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" - ValueName = "DisableAutomaticRestartSignOn" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.95.1" - Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" - ValueName = "EnableScriptBlockLogging" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.95.2" - Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" - ValueName = "EnableTranscripting" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.1.1" - Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client" - ValueName = "AllowBasic" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.1.2" - Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client" - ValueName = "AllowUnencryptedTraffic" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.1.3" - Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client" - ValueName = "AllowDigest" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.2.1" - Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" - ValueName = "AllowBasic" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.2.2" - Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" - ValueName = "AllowAutoConfig" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.2.3" - Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" - ValueName = "AllowUnencryptedTraffic" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.97.2.4" - Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" - ValueName = "DisableRunAs" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.98.1" - Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" - ValueName = "AllowRemoteShellAccess" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.101.1.1" - Task = "(L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "ManagePreviewBuilds" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "ManagePreviewBuildsPolicyValue" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.101.1.2" - Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "DeferFeatureUpdates" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "BranchReadinessLevel" - ValueData = @{ - Operation = "equals" - Value = "32" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "DeferFeatureUpdatesPeriodInDays" - ValueData = @{ - Operation = "greater than or equal" - Value = "180" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.101.1.3" - Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "DeferQualityUpdates" - ValueData = @{ - Operation = "equals" - Value = "1" - } - ValueType = "reg_dword" - } - @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - ValueName = "DeferQualityUpdatesPeriodInDays" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - ) - } - } - @{ - Id = "18.9.101.2" - Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" - ValueName = "NoAutoUpdate" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.101.3" - Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" - ValueName = "ScheduledInstallDay" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - @{ - Id = "18.9.101.4" - Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - Config = @{ - Type = "RegistryConfig" - Existence = "Yes" - Key = "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" - ValueName = "NoAutoRebootWithLoggedOnUsers" - ValueData = @{ - Operation = "equals" - Value = "0" - } - ValueType = "reg_dword" - } - } - # @{ - # Id = "19.1.3.1" - # Task = "(L1) Ensure 'Enable screen saver' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop" - # ValueName = "ScreenSaveActive" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_sz" - # } - # } - # @{ - # Id = "19.1.3.2" - # Task = "(L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop" - # ValueName = "SCRNSAVE.EXE" - # ValueData = @{ - # Operation = "equals" - # Value = "scrnsave.scr" - # } - # ValueType = "reg_sz" - # } - # } - # @{ - # Id = "19.1.3.3" - # Task = "(L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop" - # ValueName = "ScreenSaverIsSecure" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_sz" - # } - # } - # @{ - # Id = "19.1.3.4" - # Task = "(L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" - # Config = @{ - # Type = "ComplexConfig" - # Operation = "AND" - # Configs = @( - # @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop" - # ValueName = "ScreenSaveTimeOut" - # ValueData = @{ - # Operation = "less than or equal" - # Value = "900" - # } - # ValueType = "reg_sz" - # } - # @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop" - # ValueName = "ScreenSaveTimeOut" - # ValueData = @{ - # Operation = "not equal" - # Value = "0" - # } - # ValueType = "reg_sz" - # } - # ) - # } - # } - # @{ - # Id = "19.5.1.1" - # Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" - # ValueName = "NoToastApplicationNotificationOnLockScreen" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.6.5.1.1" - # Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Assistance\Client\1.0" - # ValueName = "NoImplicitFeedback" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.4.1" - # Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" - # ValueName = "SaveZoneInformation" - # ValueData = @{ - # Operation = "equals" - # Value = "2" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.4.2" - # Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" - # ValueName = "ScanWithAntiVirus" - # ValueData = @{ - # Operation = "equals" - # Value = "3" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.7.1" - # Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\CloudContent" - # ValueName = "ConfigureWindowsSpotlight" - # ValueData = @{ - # Operation = "equals" - # Value = "2" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.7.2" - # Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\CloudContent" - # ValueName = "DisableThirdPartySuggestions" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.7.3" - # Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\CloudContent" - # ValueName = "DisableTailoredExperiencesWithDiagnosticData" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.7.4" - # Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\CloudContent" - # ValueName = "DisableWindowsSpotlightFeatures" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.26.1" - # Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - # ValueName = "NoInplaceSharing" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.40.1" - # Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\Windows\Installer" - # ValueName = "AlwaysInstallElevated" - # ValueData = @{ - # Operation = "equals" - # Value = "0" - # } - # ValueType = "reg_dword" - # } - # } - # @{ - # Id = "19.7.44.2.1" - # Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" - # Config = @{ - # Type = "RegistryConfig" - # Existence = "Yes" - # Key = "HKEY_USERS\\Software\Policies\Microsoft\WindowsMediaPlayer" - # ValueName = "PreventCodecDownload" - # ValueData = @{ - # Operation = "equals" - # Value = "1" - # } - # ValueType = "reg_dword" - # } - # } - ) - UserRights = @( - @{ - Id = "2.2.1" - Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTrustedCredManAccessPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.2" - Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeNetworkLogonRight" - Identity = @( - "Administrators" - "Remote Desktop Users" - ) - } - } - @{ - Id = "2.2.3" - Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTcbPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.4" - Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeIncreaseQuotaPrivilege" - Identity = @( - "Administrators" - "Local Service" - "Network Service" - ) - } - } - @{ - Id = "2.2.5" - Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeInteractiveLogonRight" - Identity = @( - "Administrators" - "Users" - ) - } - } - @{ - Id = "2.2.6" - Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeRemoteInteractiveLogonRight" - Identity = @( - "Administrators" - "Remote Desktop Users" - ) - } - } - @{ - Id = "2.2.7" - Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeBackupPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.8" - Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSystemtimePrivilege" - Identity = @( - "Administrators" - "Local Service" - ) - } - } - @{ - Id = "2.2.9" - Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTimeZonePrivilege" - Identity = @( - "Administrators" - "Local Service" - "Users" - ) - } - } - @{ - Id = "2.2.10" - Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreatePagefilePrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.11" - Task = "(L1) Ensure 'Create a token object' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreateTokenPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.12" - Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreateGlobalPrivilege" - Identity = @( - "Administrators" - "Local Service" - "Network Service" - "Service" - ) - } - } - @{ - Id = "2.2.13" - Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreatePermanentPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.14" - Task = "(L1) Configure 'Create symbolic links'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreateSymbolicLinkPrivilege" - Identity = @( - "Administrators" - "NT VIRTUAL MACHINE\Virtual Machines" - ) - } - } - @{ - Id = "2.2.15" - Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDebugPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.16" - Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyNetworkLogonRight" - Identity = @( - "Guests" - "Local Account" - ) - } - } - @{ # maybe harden - Id = "2.2.17" - Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyBatchLogonRight" - Identity = @( - "Guests" - ) - } - } - @{ # maybe harden - Id = "2.2.18" - Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyServiceLogonRight" - Identity = @( - "Guests" - ) - } - } - @{ - Id = "2.2.19" - Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyInteractiveLogonRight" - Identity = @( - "Guests" - ) - } - } - @{ - Id = "2.2.20" - Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyRemoteInteractiveLogonRight" - Identity = @( - "Guests" - "Local Account" - ) - } - } - @{ - Id = "2.2.21" - Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeEnableDelegationPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.22" - Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeRemoteShutdownPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.23" - Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeAuditPrivilege" - Identity = @( - "Local Service" - "Network Service" - ) - } - } - @{ - Id = "2.2.24" - Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeImpersonatePrivilege" - Identity = @( - "Administrators" - "Local Service" - "Network Service" - "Service" - ) - } - } - @{ - Id = "2.2.25" - Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeIncreaseBasePriorityPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.26" - Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeLoadDriverPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.27" - Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeLockMemoryPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.28" - Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeBatchLogonRight" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.29" - Task = "(L2) Ensure 'Log on as a service' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeServiceLogonRight" - Identity = @( - - ) - } - } - @{ - Id = "2.2.30" - Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSecurityPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.31" - Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeRelabelPrivilege" - Identity = @( - - ) - } - } - @{ - Id = "2.2.32" - Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSystemEnvironmentPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.33" - Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeManageVolumePrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.34" - Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeProfileSingleProcessPrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.35" - Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSystemProfilePrivilege" - Identity = @( - "Administrators" - "NT SERVICE\WdiServiceHost" - ) - } - } - @{ - Id = "2.2.36" - Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeAssignPrimaryTokenPrivilege" - Identity = @( - "Local Service" - "Network Service" - ) - } - } - @{ - Id = "2.2.37" - Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeRestorePrivilege" - Identity = @( - "Administrators" - ) - } - } - @{ - Id = "2.2.38" - Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeShutdownPrivilege" - Identity = @( - "Administrators" - "Users" - ) - } - } - @{ - Id = "2.2.39" - Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTakeOwnershipPrivilege" - Identity = @( - "Administrators" - ) - } - } - ) - AccountPolicies = @( - @{ - Id = "1.1.1" - Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "PasswordHistorySize" - Value = @{ - Operation = "greater than or equal" - Value = "24" - } - } - } - @{ - Id = "1.1.2" - Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "AccountPolicyConfig" - Policy = "MaximumPasswordAge" - Value = @{ - Operation = "less than or equal" - Value = "60" - } - } - @{ - Type = "AccountPolicyConfig" - Policy = "MaximumPasswordAge" - Value = @{ - Operation = "greater than" - Value = "0" - } - } - ) - } - } - @{ - Id = "1.1.3" - Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "MinimumPasswordAge" - Value = @{ - Operation = "greater than or equal" - Value = "1" - } - } - } - @{ - Id = "1.1.4" - Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "MinimumPasswordLength" - Value = @{ - Operation = "greater than or equal" - Value = "14" - } - } - } - @{ - Id = "1.1.5" - Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "PasswordComplexity" - Value = @{ - Operation = "equals" - Value = "1" - } - } - } - @{ - Id = "1.1.6" - Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "ClearTextPassword" - Value = @{ - Operation = "equals" - Value = "0" - } - } - } - @{ - Id = "1.2.1" - Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "LockoutDuration" - Value = @{ - Operation = "greater than or equal" - Value = "15" - } - } - } - @{ - Id = "1.2.2" - Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "AccountPolicyConfig" - Policy = "LockoutBadCount" - Value = @{ - Operation = "less than or equal" - Value = "10" - } - } - @{ - Type = "AccountPolicyConfig" - Policy = "LockoutBadCount" - Value = @{ - Operation = "greater than" - Value = "0" - } - } - ) - } - } - @{ - Id = "1.2.3" - Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" - Config = @{ - Type = "AccountPolicyConfig" - Policy = "ResetLockoutCount" - Value = @{ - Operation = "greater than or equal" - Value = "15" - } - } - } - ) - FirewallProfileSettings = @( - @{ - Id = "9.1.1" - Task = "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "Enabled" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - @{ - Id = "9.1.2" - Task = "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "DefaultInboundAction" - Value = @{ - Operation = "Equals" - Value = "Block" - } - } - } - @{ - Id = "9.1.3" - Task = "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "DefaultOutboundAction" - Value = @{ - Operation = "Equals" - Value = "Allow" - } - } - } - @{ - Id = "9.1.4" - Task = "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "NotifyOnListen" - Value = @{ - Operation = "Equals" - Value = "False" - } - } - } - @{ - Id = "9.1.5" - Task = "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "LogFileName" - Value = @{ - Operation = "Equals" - Value = "%systemroot%\system32\LogFiles\Firewall\domainfw.log" - } - } - } - @{ - Id = "9.1.6" - Task = "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "LogMaxSizeKilobytes" - Value = @{ - Operation = "greater than or equal" - Value = "16384" - } - } - } - @{ - Id = "9.1.7" - Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "LogBlocked" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - @{ - Id = "9.1.8" - Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Domain" - Setting = "LogAllowed" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - - @{ - Id = "9.2.1" - Task = "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "Enabled" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - @{ - Id = "9.2.2" - Task = "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "DefaultInboundAction" - Value = @{ - Operation = "Equals" - Value = "Block" - } - } - } - @{ - Id = "9.2.3" - Task = "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "DefaultOutboundAction" - Value = @{ - Operation = "Equals" - Value = "Allow" - } - } - } - @{ - Id = "9.2.4" - Task = "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "NotifyOnListen" - Value = @{ - Operation = "Equals" - Value = "False" - } - } - } - @{ - Id = "9.2.5" - Task = "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "LogFileName" - Value = @{ - Operation = "Equals" - Value = "%systemroot%\system32\LogFiles\Firewall\privatefw.log" - } - } - } - @{ - Id = "9.2.6" - Task = "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "LogMaxSizeKilobytes" - Value = @{ - Operation = "greater than or equal" - Value = "16384" - } - } - } - @{ - Id = "9.2.7" - Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "LogBlocked" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - @{ - Id = "9.2.8" - Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Private" - Setting = "LogAllowed" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - - - @{ - Id = "9.3.1" - Task = "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "Enabled" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - @{ - Id = "9.3.2" - Task = "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "DefaultInboundAction" - Value = @{ - Operation = "Equals" - Value = "Block" - } - } - } - @{ - Id = "9.3.3" - Task = "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "DefaultOutboundAction" - Value = @{ - Operation = "Equals" - Value = "Allow" - } - } - } - @{ - Id = "9.3.4" - Task = "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "NotifyOnListen" - Value = @{ - Operation = "Equals" - Value = "False" - } - } - } - # Run Get-NetFirewallProfile -Name Public -PolicyStore localhost - # @{ # Problems - # Id = "9.3.5" - # Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - # Config = @{ - # Type = "FirewallProfileConfig" - # Profile = "Public" - # Setting = "AllowLocalFirewallRules" - # Value = @{ - # Operation = "equals" - # Value = "False" - # } - # } - # } - # @{ # Problems - # Id = "9.3.6" - # Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - # Config = @{ - # Type = "FirewallProfileConfig" - # Profile = "Public" - # Setting = "AllowLocalIPsecRules" - # Value = @{ - # Operation = "equals" - # Value = "False" - # } - # } - # } - @{ - Id = "9.3.7" - Task = "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "LogFileName" - Value = @{ - Operation = "Equals" - Value = "%systemroot%\system32\LogFiles\Firewall\publicfw.log" - } - } - } - @{ - Id = "9.3.8" - Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "LogMaxSizeKilobytes" - Value = @{ - Operation = "greater than or equal" - Value = "16384" - } - } - } - @{ - Id = "9.3.9" - Task = "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "LogBlocked" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - @{ - Id = "9.3.10" - Task = "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - Config = @{ - Type = "FirewallProfileConfig" - Profile = "Public" - Setting = "LogAllowed" - Value = @{ - Operation = "Equals" - Value = "True" - } - } - } - ) - AuditPolicies = @( - @{ - Id = "17.1.1" - Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Credential Validation" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.2.1" - Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Application Group Management" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.2.2" - Task = "(L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Computer Account Management" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.2.3" - Task = "(L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Other Account Management Events" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.2.4" - Task = "(L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Security Group Management" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.2.5" - Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "User Account Management" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.3.1" - Task = "(L1) Ensure 'Audit PNP Activity' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Plug and Play Events" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Plug and Play Events" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.3.2" - Task = "(L1) Ensure 'Audit Process Creation' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Process Creation" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Process Creation" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.5.1" - Task = "(L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Account Lockout" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.5.2" - Task = "(L1) Ensure 'Audit Group Membership' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Group Membership" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Group Membership" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.5.3" - Task = "(L1) Ensure 'Audit Logoff' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Logoff" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Logoff" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.5.4" - Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Logon" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.5.5" - Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Other Logon/Logoff Events" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.5.6" - Task = "(L1) Ensure 'Audit Special Logon' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Special Logon" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Special Logon" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.6.1" - Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "File Share" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.6.2" - Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Other Object Access Events" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.6.3" - Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Removable Storage" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.7.1" - Task = "(L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Audit Policy Change" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.7.2" - Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Authentication Policy Change" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Authentication Policy Change" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.7.3" - Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Authorization Policy Change" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Authorization Policy Change" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.8.1" - Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Sensitive Privilege Use" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.9.1" - Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Ipsec Driver" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.9.2" - Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Other System Events" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.9.3" - Task = "(L1) Ensure 'Audit Security State Change' is set to 'Success'" - Config = @{ - Type = "ComplexConfig" - Operation = "OR" - Configs = @( - @{ - Type = "AuditPolicyConfig" - Subcategory = "Security State Change" - AuditFlag = "Success" - } - @{ - Type = "AuditPolicyConfig" - Subcategory = "Security State Change" - AuditFlag = "Success and Failure" - } - ) - } - } - @{ - Id = "17.9.4" - Task = "(L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "Security System Extension" - AuditFlag = "Success and Failure" - } - } - @{ - Id = "17.9.5" - Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" - Config = @{ - Type = "AuditPolicyConfig" - Subcategory = "System Integrity" - AuditFlag = "Success and Failure" - } - } - ) -} \ No newline at end of file diff --git a/Windows10Audit/Win10_DISA_V1R16.psd1 b/Windows10Audit/Win10_DISA_V1R16.psd1 deleted file mode 100644 index 5730d888..00000000 --- a/Windows10Audit/Win10_DISA_V1R16.psd1 +++ /dev/null @@ -1,1394 +0,0 @@ -# DISA Requirements MS Windows 10 DISA STIG V1R16 - -@{ - RegistrySettings = @( - @{ - Id = "WN10-CC-000310"#450 - Task = "Users must be prevented from changing installation options." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\" - Name = "EnableUserControl" - Value = 0 - } - @{ - Id = "WN10-CC-000315"#460 - Task = "The Windows Installer Always install with elevated privileges must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\" - Name = "AlwaysInstallElevated" - Value = 0 - } - @{ - Id = "WN10-CC-000320"#470 - Task = "Users must be notified if a web-based program attempts to install software." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\" - Name = "SafeForScripting" - Value = 0 - } - @{ - Id = "WN10-CC-000325"#480 - Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "DisableAutomaticRestartSignOn" - Value = 1 - } - @{ - Id = "WN10-CC-000330"#500 - Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" - Name = "AllowBasic" - Value = 0 - } - @{ - Id = "WN10-CC-000335"#510 - Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" - Name = "AllowUnencryptedTraffic" - Value = 0 - } - @{ - Id = "WN10-CC-000340"#520 - Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" - Name = "AllowDigest" - Value = 0 - } - @{ - Id = "WN10-CC-000345"#530 - Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" - Name = "AllowBasic" - Value = 0 - } - @{ - Id = "WN10-CC-000350"#540 - Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" - Name = "AllowUnencryptedTraffic" - Value = 0 - } - @{ - Id = "WN10-CC-000355"#550 - Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" - Name = "DisableRunAs" - Value = 1 - } - @{ - Id = "WN10-AU-000500"#CC-300 - Task = "The Application event log size must be configured to 32768 KB or greater." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\" - Name = "MaxSize" - Value = 32768 - } - @{ - Id = "WN10-AU-000505"#CC - Task = "The Security event log size must be configured to 1024000 KB or greater." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\" - Name = "MaxSize" - Value = 1024000 - } - @{ - Id = "WN10-AU-000510" - Task = "The System event log size must be configured to 32768 KB or greater." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\" - Name = "MaxSize" - Value = 32768 - } - @{ - Id = "WN10-CC-000005" - Task = "Camera access from the lock screen must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization\" - Name = "NoLockScreenCamera" - Value = 1 - } - @{ - Id = "WN10-CC-000010" - Task = "The display of slide shows on the lock screen must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization\" - Name = "NoLockScreenSlideshow" - Value = 1 - } - @{ - Id = "WN10-CC-000020" - Task = "IPv6 source routing must be configured to highest protection." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" - Name = "DisableIpSourceRouting" - Value = 2 - } - @{ - Id = "WN10-CC-000025" - Task = "The system must be configured to prevent IP source routing." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" - Name = "DisableIPSourceRouting" - Value = 2 - } - @{ - Id = "WN10-CC-000030" - Task = "The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" - Name = "EnableICMPRedirect" - Value = 0 - } - @{ - Id = "WN10-CC-000035" - Task = "The system must be configured to ignore NetBIOS name release requests except from WINS servers." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\" - Name = "NoNameReleaseOnDemand" - Value = 1 - } - @{ - Id = "WN10-CC-000040" - Task = "Insecure logons to an SMB server must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\" - Name = "AllowInsecureGuestAuth" - Value = 0 - } - @{ - Id = "WN10-CC-000055" - Task = "Simultaneous connections to the Internet or a Windows domain must be limited." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\" - Name = "fMinimizeConnections" - Value = 1 - } - @{ - Id = "WN10-CC-000060" - Task = "Connections to non-domain networks when connected to a domain authenticated network must be blocked." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\" - Name = "fBlockNonDomain" - Value = 1 - } - @{ - Id = "WN10-CC-000065" - Task = "Wi-Fi Sense must be disabled." - Path = "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\" - Name = "AutoConnectAllowedOEM" - Value = 0 - } - @{ - Id = "WN10-CC-000037" - Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "LocalAccountTokenFilterPolicy" - Value = 0 - } - @{ - Id = "WN10-CC-000085" - Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." - Path = "HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\" - Name = "DriverLoadPolicy" - Value = 8 - } - @{ - Id = "WN10-CC-000090" - Task = "Group Policy objects must be reprocessed even if they have not changed." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" - Name = "NoGPOListChanges" - Value = 0 - } - @{ - Id = "WN10-CC-000100" - Task = "Downloading print driver packages over HTTP must be prevented." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\" - Name = "DisableWebPnPDownload" - Value = 1 - } - @{ - Id = "WN10-SO-000015" - Task = "Local accounts with blank passwords must be restricted to prevent access from the network." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "LimitBlankPasswordUse" - Value = 1 - } - @{ - Id = "WN10-CC-000105" - Task = "Web publishing and online ordering wizards must be prevented from downloading a list of providers." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" - Name = "NoWebServices" - Value = 1 - } - @{ - Id = "WN10-CC-000110" - Task = "Printing over HTTP must be prevented." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\" - Name = "DisableHTTPPrinting" - Value = 1 - } - @{ - Id = "WN10-CC-000115" - Task = "Systems must at least attempt device authentication using certificates." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\" - Name = "DevicePKInitEnabled" - Value = 1 - } - @{ - Id = "WN10-CC-000120" - Task = "The network selection user interface (UI) must not be displayed on the logon screen." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\" - Name = "DontDisplayNetworkSelectionUI" - Value = 1 - } - @{ - Id = "WN10-CC-000130" - Task = "Local users on domain-joined computers must not be enumerated." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\" - Name = "EnumerateLocalUsers" - Value = 0 - } - @{ - Id = "WN10-SO-000030" - Task = "Audit policy using subcategories must be enabled." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "SCENoApplyLegacyAuditPolicy" - Value = 1 - } - @{ - Id = "WN10-SO-000035" - Task = "Outgoing secure channel traffic must be encrypted or signed." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" - Name = "RequireSignOrSeal" - Value = 1 - } - @{ - Id = "WN10-SO-000040" - Task = "Outgoing secure channel traffic must be encrypted when possible." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" - Name = "SealSecureChannel" - Value = 1 - } - @{ - Id = "WN10-CC-000145" - Task = "Users must be prompted for a password on resume from sleep (on battery)." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\" - Name = "DCSettingIndex" - Value = 1 - } - @{ - Id = "WN10-SO-000045" - Task = "Outgoing secure channel traffic must be signed when possible." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" - Name = "SignSecureChannel" - Value = 1 - } - @{ - Id = "WN10-CC-000150" - Task = "The user must be prompted for a password on resume from sleep (plugged in)." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\" - Name = "ACSettingIndex" - Value = 1 - } - @{ - Id = "WN10-CC-000155" - Task = "Solicited Remote Assistance must not be allowed." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" - Name = "fAllowToGetHelp" - Value = 0 - } - @{ - Id = "WN10-SO-000050" - Task = "The computer account password must not be prevented from being reset." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" - Name = "DisablePasswordChange" - Value = 0 - } - @{ - Id = "WN10-CC-000165" - Task = "Unauthenticated RPC clients must be restricted from connecting to the RPC server." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\" - Name = "RestrictRemoteClients" - Value = 1 - } - @{ - Id = "WN10-CC-000170" - Task = "The setting to allow Microsoft accounts to be optional for modern style apps must be enabled." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "MSAOptional" - Value = 1 - } - <#@{ - Id = "WN10-SO-000055" - Task = "The maximum age for machine account passwords must be configured to 30 days or less." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" - Name = "MaximumPasswordAge" - Value = Please check data - }#> - @{ - Id = "WN10-CC-000175" - Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat\" - Name = "DisableInventory" - Value = 1 - } - @{ - Id = "WN10-SO-000060" - Task = "The system must be configured to require a strong session key." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" - Name = "RequireStrongKey" - Value = 1 - } - @{ - Id = "WN10-CC-000180" - Task = "Autoplay must be turned off for non-volume devices." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\" - Name = "NoAutoplayfornonVolume" - Value = 1 - } - @{ - Id = "WN10-SO-000070" - Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "InactivityTimeoutSecs" - Value = 900 - } - @{ - Id = "WN10-CC-000185" - Task = "The default autorun behavior must be configured to prevent autorun commands." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" - Name = "NoAutorun" - Value = 1 - } - @{ - Id = "WN10-CC-000190" - Task = "Autoplay must be disabled for all drives." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\" - Name = "NoDriveTypeAutoRun" - Value = 255 - } - <#@{ - Id = "WN10-SO-000075" - Task = "The required legal notice must be configured to display before console logon." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "LegalNoticeText" - Value = - }#> - @{ - Id = "WN10-CC-000195" - Task = "Enhanced anti-spoofing for facial recognition must be enabled on Window 10." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\" - Name = "EnhancedAntiSpoofing" - Value = 1 - } - @{ - Id = "WN10-CC-000200" - Task = "Administrator accounts must not be enumerated during elevation." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\" - Name = "EnumerateAdministrators" - Value = 0 - } - <#@{ - Id = "WN10-SO-000080" - Task = "The Windows dialog box title for the legal banner must be configured." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "LegalNoticeCaption" - Value = Please check data - } - @{ - Id = "WN10-CC-000205" - Task = "Windows Telemetry must not be configured to Full." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\" - Name = "AllowTelemetry" - Value = Please check data - } - @{ - Id = "WN10-SO-000085" - Task = "Caching of logon credentials must be limited." - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" - Name = "CachedLogonsCount" - Value = Please check data - }#> - @{ - Id = "WN10-CC-000215" - Task = "Explorer Data Execution Prevention must be enabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\" - Name = "NoDataExecutionPrevention" - Value = 0 - } - @{ - Id = "WN10-CC-000220" - Task = "Turning off File Explorer heap termination on corruption must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\" - Name = "NoHeapTerminationOnCorruption" - Value = 0 - } - @{ - Id = "WN10-CC-000225" - Task = "File Explorer shell protocol must run in protected mode." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" - Name = "PreXPSP2ShellProtocolBehavior" - Value = 0 - } - @{ - Id = "WN10-SO-000095" - Task = "The Smart Card removal option must be configured to Force Logoff or Lock Workstation." - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" - Name = "SCRemoveOption" - Value = "1" - } - @{ - Id = "WN10-CC-000230" - Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\" - Name = "PreventOverride" - Value = 1 - } - @{ - Id = "WN10-CC-000235" - Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\" - Name = "PreventOverrideAppRepUnknown" - Value = 1 - } - @{ - Id = "WN10-SO-000100" - Task = "The Windows SMB client must be configured to always perform SMB packet signing." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" - Name = "RequireSecuritySignature" - Value = 1 - } - @{ - Id = "WN10-CC-000240" - Task = "InPrivate browsing in Microsoft Edge must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\" - Name = "AllowInPrivate" - Value = 0 - } - @{ - Id = "WN10-SO-000105" - Task = "The Windows SMB client must be enabled to perform SMB packet signing when possible." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" - Name = "EnableSecuritySignature" - Value = 1 - } - <#@{ - Id = "WN10-CC-000245" - Task = "The password manager function in the Edge browser must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\" - Name = "FormSuggest Passwords" - Value = Please check data - }#> - @{ - Id = "WN10-SO-000110" - Task = "Unencrypted passwords must not be sent to third-party SMB Servers." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" - Name = "EnablePlainTextPassword" - Value = 0 - } - @{ - Id = "WN10-CC-000250" - Task = "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\" - Name = "EnabledV9" - Value = 1 - } - @{ - Id = "WN10-CC-000255" - Task = "The use of a hardware security device with Windows Hello for Business must be enabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\" - Name = "RequireSecurityDevice" - Value = 1 - } - @{ - Id = "WN10-SO-000120" - Task = "The Windows SMB server must be configured to always perform SMB packet signing." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" - Name = "RequireSecuritySignature" - Value = 1 - } - @{ - Id = "WN10-CC-000260" - Task = "Windows 10 must be configured to require a minimum pin length of six characters or greater." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\" - Name = "MinimumPINLength" - Value = 6 - } - @{ - Id = "WN10-SO-000125" - Task = "The Windows SMB server must perform SMB packet signing when possible." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" - Name = "EnableSecuritySignature" - Value = 1 - } - @{ - Id = "WN10-CC-000270" - Task = "Passwords must not be saved in the Remote Desktop Client." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" - Name = "DisablePasswordSaving" - Value = 1 - } - @{ - Id = "WN10-CC-000275" - Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" - Name = "fDisableCdm" - Value = 1 - } - @{ - Id = "WN10-CC-000280" - Task = "Remote Desktop Services must always prompt a client for passwords upon connection." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" - Name = "fPromptForPassword" - Value = 1 - } - @{ - Id = "WN10-CC-000285" - Task = "The Remote Desktop Session Host must require secure RPC communications." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" - Name = "fEncryptRPCTraffic" - Value = 1 - } - @{ - Id = "WN10-CC-000290" - Task = "Remote Desktop Services must be configured with the client connection encryption set to the required level." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" - Name = "MinEncryptionLevel" - Value = 3 - } - @{ - Id = "WN10-CC-000295" - Task = "Attachments must be prevented from being downloaded from RSS feeds." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\" - Name = "DisableEnclosureDownload" - Value = 1 - } - @{ - Id = "WN10-SO-000145" - Task = "Anonymous enumeration of SAM accounts must not be allowed." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "RestrictAnonymousSAM" - Value = 1 - } - @{ - Id = "WN10-CC-000300" - Task = "Basic authentication for RSS feeds over HTTP must not be used." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\" - Name = "AllowBasicAuthInClear" - Value = 0 - } - @{ - Id = "WN10-SO-000150" - Task = "Anonymous enumeration of shares must be restricted." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "RestrictAnonymous" - Value = 1 - } - @{ - Id = "WN10-CC-000305" - Task = "Indexing of encrypted files must be turned off." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\" - Name = "AllowIndexingEncryptedStoresOrItems" - Value = 0 - } - @{ - Id = "WN10-SO-000160" - Task = "The system must be configured to prevent anonymous users from having the same rights as the Everyone group." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "EveryoneIncludesAnonymous" - Value = 0 - } - @{ - Id = "WN10-SO-000165" - Task = "Anonymous access to Named Pipes and Shares must be restricted." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" - Name = "RestrictNullSessAccess" - Value = 1 - } - @{ - Id = "WN10-SO-000175" - Task = "Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\" - Name = "UseMachineId" - Value = 1 - } - @{ - Id = "WN10-SO-000180" - Task = "NTLM must be prevented from falling back to a Null session." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\" - Name = "allownullsessionfallback" - Value = 0 - } - @{ - Id = "WN10-SO-000185" - Task = "PKU2U authentication using online identities must be prevented." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\" - Name = "AllowOnlineID" - Value = 0 - } - @{ - Id = "WN10-SO-000190" - Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\" - Name = "SupportedEncryptionTypes" - Value = 2147483640 - } - @{ - Id = "WN10-SO-000195" - Task = "The system must be configured to prevent the storage of the LAN Manager hash of passwords." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "NoLMHash" - Value = 1 - } - @{ - Id = "WN10-SO-000205" - Task = "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "LmCompatibilityLevel" - Value = 5 - } - @{ - Id = "WN10-SO-000210" - Task = "The system must be configured to the required LDAP client signing level." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\" - Name = "LDAPClientIntegrity" - Value = 1 - } - @{ - Id = "WN10-SO-000215" - Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based clients." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\" - Name = "NTLMMinClientSec" - Value = 537395200 - } - @{ - Id = "WN10-SO-000220" - Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based servers." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\" - Name = "NTLMMinServerSec" - Value = 537395200 - } - @{ - Id = "WN10-SO-000230" - Task = "The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\" - Name = "Enabled" - Value = 1 - } - @{ - Id = "WN10-SO-000240" - Task = "The default permissions of global system objects must be increased." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\" - Name = "ProtectionMode" - Value = 1 - } - @{ - Id = "WN10-SO-000245" - Task = "User Account Control approval mode for the built-in Administrator must be enabled." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "FilterAdministratorToken" - Value = 1 - } - @{ - Id = "WN10-SO-000250" - Task = "User Account Control must, at minimum, prompt administrators for consent on the secure desktop." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "ConsentPromptBehaviorAdmin" - Value = 2 - } - @{ - Id = "WN10-SO-000255" - Task = "User Account Control must automatically deny elevation requests for standard users." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "ConsentPromptBehaviorUser" - Value = 0 - } - @{ - Id = "WN10-SO-000260" - Task = "User Account Control must be configured to detect application installations and prompt for elevation." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "EnableInstallerDetection" - Value = 1 - } - @{ - Id = "WN10-SO-000265" - Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "EnableSecureUIAPaths" - Value = 1 - } - @{ - Id = "WN10-SO-000270" - Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "EnableLUA" - Value = 1 - } - @{ - Id = "WN10-SO-000275" - Task = "User Account Control must virtualize file and registry write failures to per-user locations." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" - Name = "EnableVirtualization" - Value = 1 - } - @{ - Id = "WN10-UC-000015" - Task = "Toast notifications to the lock screen must be turned off." - Path = "HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\" - Name = "NoToastApplicationNotificationOnLockScreen" - Value = 1 - } - @{ - Id = "WN10-UC-000020" - Task = "Zone information must be preserved when saving attachments." - Path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\" - Name = "SaveZoneInformation" - Value = 2 - } - <#@{ - Id = "WN10-CC-000206" - Task = "Windows Update must not obtain updates from other PCs on the Internet." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\" - Name = "DODownloadMode" - Value = Please check data - }#> - @{ - Id = "WN10-CC-000066" - Task = "Command line data must be included in process creation events." - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\" - Name = "ProcessCreationIncludeCmdLine_Enabled" - Value = 1 - } - @{ - Id = "WN10-CC-000326" - Task = "PowerShell script block logging must be enabled." - Path = "HKLM:\SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\" - Name = "EnableScriptBlockLogging" - Value = 1 - } - @{ - Id = "WN10-00-000150" - Task = "Structured Exception Handling Overwrite Protection (SEHOP) must be enabled." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\" - Name = "DisableExceptionChainValidation" - Value = 0 - } - @{ - Id = "WN10-CC-000038" - Task = "WDigest Authentication must be disabled." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\" - Name = "UseLogonCredential" - Value = 0 - } - @{ - Id = "WN10-CC-000044" - Task = "Internet connection sharing must be disabled." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections\" - Name = "NC_ShowSharedAccessUI" - Value = 0 - } - <#@{ - Id = "WN10-SO-000167" - Task = "Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" - Name = "RestrictRemoteSAM" - Value = Please check data - }#> - @{ - Id = "WN10-CC-000197" - Task = "Microsoft consumer experiences must be turned off." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent\" - Name = "DisableWindowsConsumerFeatures" - Value = 1 - } - <#@{ - Id = "WN10-CC-000052" - Task = "Windows 10 must be configured to prioritize ECC Curves with longer key lengths first." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\" - Name = "EccCurves" - Value = Please check data - }#> - @{ - Id = "WN10-CC-000228" - Task = "Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Privacy\" - Name = "ClearBrowsingHistoryOnExit" - Value = 0 - } - @{ - Id = "WN10-CC-000252" - Task = "Windows 10 must be configured to disable Windows Game Recording and Broadcasting." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR\" - Name = "AllowGameDVR" - Value = 0 - } - @{ - Id = "WN10-CC-000068" - Task = "Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\" - Name = "AllowProtectedCreds" - Value = 1 - } - @{ - Id = "WN10-00-000165" - Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server." - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\" - Name = "SMB1" - Value = 0 - } - @{ - Id = "WN10-UC-000005" - Task = "The use of personal accounts for OneDrive synchronization must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\OneDrive\" - Name = "DisablePersonalSync" - Value = 1 - } - @{ - Id = "WN10-CC-000238" - Task = "Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\" - Name = "PreventCertErrorOverrides" - Value = 1 - } - @{ - Id = "WN10-CC-000204" - Task = "If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\" - Name = "LimitEnhancedDiagnosticDataWindowsAnalytics" - Value = 1 - } - <#@{ - Id = "WN10-CC-000340" - Task = "OneDrive must only allow synchronizing of accounts for DoD organization instances." - Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList\" - Name = "Organization's Tenant GUID" - Value = Please check data - }#> - ) - UserRights = @( - @{ - Id = 'WN10-UR-000005' - Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTrustedCredManAccessPrivilege" - Identity = @() - } - } - @{ - Id = 'WN10-UR-000010' - Task = 'The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.' - Config = @{ - Type = "UserRightConfig" - UserRight = "SeNetworkLogonRight" - Identity = "Administrators", "Remote Desktop Users" - } - } - @{ - Id = 'WN10-UR-000015' - Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTcbPrivilege" - Identity = @() - } - } - @{ - Id = 'WN10-UR-000025' - Task = 'The Allow log on locally user right must only be assigned to the Administrators and Users groups.' - Config = @{ - Type = "UserRightConfig" - UserRight = "SeInteractiveLogonRight" - Identity = "Administrators", "Users" - } - } - @{ - Id = 'WN10-UR-000030' - Task = "The Back up files and directories user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeBackupPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000035' - Task = 'The Change the system time user right must only be assigned to Administrators and Local Service.' - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSystemtimePrivilege" - Identity = "Administrators", "Local Service" - } - } - @{ - Id = 'WN10-UR-000040' - Task = "The Create a pagefile user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreatePagefilePrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000045' - Task = "The Create a token object user right must not be assigned to any groups or accounts." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreateTokenPrivilege" - Identity = @() - } - } - @{ - Id = 'WN10-UR-000050' - Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreateGlobalPrivilege" - Identity = "Administrators", "Service", "Local Service", "Network Service" - } - } - @{ - Id = 'WN10-UR-000055' - Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeCreatePermanentPrivilege" - Identity = @() - } - } - # @{ - # Id = 'WN10-UR-000060' - # Task = "The Create symbolic links user right must only be assigned to the Administrators group." - # Config = @{ - # Type = "UserRightConfig" - # UserRight = "SeCreateSymbolicLinkPrivilege" - # Identity = "Administrators" - # } - # } - @{ - Id = 'WN10-UR-000065' - Task = "The Debug programs user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDebugPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000070 MW' - Task = 'The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.' - DomainRole = "MemberWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyNetworkLogonRight" - Identity = "Enterprise Admins", "Domain Admins", "Local account", "Guests" - } - } - @{ - Id = 'WN10-UR-000070 SW' - Task = 'The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.' - DomainRole = "StandaloneWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyNetworkLogonRight" - Identity = "Guests" - } - } - @{ - Id = 'WN10-UR-000075 MW' - Task = 'The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.' - DomainRole = "MemberWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyBatchLogonRight" - Identity = "Enterprise Admins", "Domain Admins" - } - } - @{ - Id = 'WN10-UR-000080 MW' - Task = 'The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.' - DomainRole = "MemberWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyServiceLogonRight" - Identity = "Enterprise Admins", "Domain Admins" - } - } - @{ - Id = 'WN10-UR-000085 MW' - Task = 'The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.' - DomainRole = "MemberWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyInteractiveLogonRight" - Identity = "Enterprise Admins", "Domain Admins", "Guests" - } - } - @{ - Id = 'WN10-UR-000085 SW' - Task = 'The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.' - DomainRole = "StandaloneWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyInteractiveLogonRight" - Identity = "Guests" - } - } - @{ - Id = 'WN10-UR-000090 MW' - Task = 'The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.' - DomainRole = "MemberWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyRemoteInteractiveLogonRight" - Identity = "Enterprise Admins", "Domain Admins", "Local account", "Guests" - } - } - @{ - Id = 'WN10-UR-000090 SW' - Task = 'The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.' - DomainRole = "StandaloneWorkstation" - Config = @{ - Type = "UserRightConfig" - UserRight = "SeDenyRemoteInteractiveLogonRight" - Identity = "Guests" - } - } - @{ - Id = 'WN10-UR-000100' - Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeRemoteShutdownPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000105' - Task = "The Generate security audits user right must only be assigned to Local Service and Network Service." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeAuditPrivilege" - Identity = "Local Service", "Network Service" - } - } - @{ - Id = 'WN10-UR-000110' - Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeImpersonatePrivilege" - Identity = "Administrators", "Service", "Local Service", "Network Service" - } - } - @{ - Id = 'WN10-UR-000115' - Task = "The Increase scheduling priority user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeIncreaseBasePriorityPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000120' - Task = "The Load and unload device drivers user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeLoadDriverPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000125' - Task = "The Lock pages in memory user right must not be assigned to any groups or accounts." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeLockMemoryPrivilege" - Identity = @() - } - } - @{ - Id = 'WN10-UR-000130' - Task = "The Manage auditing and security log user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSecurityPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000140' - Task = "The Modify firmware environment values user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeSystemEnvironmentPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000145' - Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeManageVolumePrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000150' - Task = "The Profile single process user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeProfileSingleProcessPrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000160' - Task = "The Restore files and directories user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeRestorePrivilege" - Identity = "Administrators" - } - } - @{ - Id = 'WN10-UR-000165' - Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group." - Config = @{ - Type = "UserRightConfig" - UserRight = "SeTakeOwnershipPrivilege" - Identity = "Administrators" - } - } - - ) - AccountPolicies = @( - @{ - Id = "WN10-AC-000005" - Task = "Windows 10 account lockout duration must be configured to 15 minutes or greater." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "LockoutDuration" - Value = @{ - Operation = "greater than or equal" - Value = 15 - } - } - } - @{ - Id = "WN10-AC-000010" - Task = "The number of allowed bad logon attempts must be configured to 3 or less." - Config = @{ - Type = "ComplexConfig" - Operation = "AND" - Configs = @( - @{ - Type = "AccountPolicyConfig" - Policy = "LockoutBadCount" - Value = @{ - Operation = "less than or equal" - Value = 3 - } - } - @{ - Type = "AccountPolicyConfig" - Policy = "LockoutBadCount" - Value = @{ - Operation = "not equal" - Value = 0 - } - } - ) - } - } - @{ - Id = "WN10-AC-000015" - Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "ResetLockoutCount" - Value = @{ - Operation = "greater than or equal" - Value = 15 - } - } - } - @{ - Id = 'WN10-AC-000020' - Task = "The password history must be configured to 24 passwords remembered." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "PasswordHistorySize" - Value = @{ - Operation = "greater than or equal" - Value = 24 - } - } - } - @{ - Id = 'WN10-AC-000025' - Task = "The maximum password age must be configured to 60 days or less." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "MaximumPasswordAge" - Value = @{ - Operation = "less than or equal" - Value = 60 - } - } - } - @{ - Id = "WN10-AC-000030" - Task = "The minimum password age must be configured to at least 1 day." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "MinimumPasswordAge" - Value = @{ - Operation = "greater than or equal" - Value = 1 - } - } - } - @{ - Id = "WN10-AC-000035" - Task = "Passwords must, at a minimum, be 14 characters." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "MinimumPasswordLength" - Value = @{ - Operation = "greater than or equal" - Value = 14 - } - } - } - @{ - Id = "WN10-AC-000040" - Task = "The built-in Microsoft password complexity filter must be enabled." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "PasswordComplexity" - Value = @{ - Operation = "equals" - Value = 1 - } - } - } - @{ - Id = "WN10-AC-000045" - Task = "Reversible password encryption must be disabled." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "ClearTextPassword" - Value = @{ - Operation = "equals" - Value = 0 - } - } - } - @{ - Id = 'WN10-SO-000140' - Task = "Anonymous SID/Name translation must not be allowed." - Config = @{ - Type = "AccountPolicyConfig" - Policy = "LSAAnonymousNameLookup" - Value = @{ - Operation = "equals" - Value = 0 - } - } - } - ) - WindowsOptionalFeatures = @( - @{ - Id = 'WN10-00-000100' - Task = 'Internet Information System (IIS) or its subcomponents must not be installed on a workstation.' - - Feature = "IIS-WebServer" - } - # @{ ??? - # Id = 'WN10-00-000105' - # Task = 'Simple Network Management Protocol (SNMP) must not be installed on the system.' - - # Feature = "" - # } - @{ - Id = 'WN10-00-000110' - Task = 'Simple TCP/IP Services must not be installed on the system.' - - Feature = "SimpleTCP" - } - @{ - Id = 'WN10-00-000115' - Task = 'The Telnet Client must not be installed on the system.' - - Feature = "TelnetClient" - } - @{ - Id = 'WN10-00-000120' - Task = 'The TFTP Client must not be installed on the system.' - - Feature = "TFTP" - } - - ) - FileSystemPermissions = @( - @{ - Id = "WN10-AU-000515" - Task = "Permissions for the Application event log must prevent access by non-privileged accounts." - - Target = "%SystemRoot%\System32\winevt\Logs\Application.evtx" - PrincipalRights = @{ - "NT SERVICE\EventLog" = "FullControl" - "NT AUTHORITY\SYSTEM" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - } - } - @{ - Id = "WN10-AU-000520" - Task = "Permissions for the Security event log must prevent access by non-privileged accounts." - - Target = "%SystemRoot%\System32\winevt\Logs\Security.evtx" - PrincipalRights = @{ - "NT SERVICE\EventLog" = "FullControl" - "NT AUTHORITY\SYSTEM" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - } - } - @{ - Id = "WN10-AU-000525" - Task = "Permissions for the System event log must prevent access by non-privileged accounts." - - Target = "%SystemRoot%\System32\winevt\Logs\System.evtx" - PrincipalRights = @{ - "NT SERVICE\EventLog" = "FullControl" - "NT AUTHORITY\SYSTEM" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - } - } - ) - RegistryPermissions = @( - @{ - Id = "WN10-RG-000005 A" - Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - Target = "HKLM:\SECURITY" - PrincipalRights = @{ - "NT Authority\System" = "FullControl" - # "BUILTIN\Administrators" = "Special" - } - } - @{ - Id = "WN10-RG-000005 B" - Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - Target = "HKLM:\SOFTWARE" - PrincipalRights = @{ - "BUILTIN\Users" = "ReadKey" - "BUILTIN\Administrators" = "FullControl" - "NT Authority\System" = "FullControl" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" - } - } - @{ - Id = "WN10-RG-000005 C" - Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - Target = "HKLM:\SYSTEM" - PrincipalRights = @{ - "BUILTIN\Users" = "ReadKey" - "BUILTIN\Administrators" = "FullControl" - "NT Authority\System" = "FullControl" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" - } - } - ) -} diff --git a/Windows10Audit/Windows10Audit.psd1 b/Windows10Audit/Windows10Audit.psd1 deleted file mode 100644 index a2054654..00000000 --- a/Windows10Audit/Windows10Audit.psd1 +++ /dev/null @@ -1,150 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'Windows10Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.3' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = '8c659a31-d962-462a-88cd-911e06f9701c' - -# Author of this module -Author = 'Benedikt Böhme', 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Windows 10 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -RequiredAssemblies = @( - 'Microsoft.PowerShell.Commands.Management' -) - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'Windows 10', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/Windows10Audit/Windows10Audit.psm1 b/Windows10Audit/Windows10Audit.psm1 deleted file mode 100644 index 16ae5a5f..00000000 --- a/Windows10Audit/Windows10Audit.psm1 +++ /dev/null @@ -1,1820 +0,0 @@ -#Requires -RunAsAdministrator - -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings - -$DisaRequirements = Import-LocalizedData -FileName "Win10_DISA_V1R16.psd1" -$CisBenchmarks = Import-LocalizedData -FileName "Win10_CIS_V1.4.0.psd1" -#endregion - - -#region Logging functions -function New-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath','Path','Logname')] - [string] - $LogFilePath - ) - - # Create file if it does not already exists - if (-not (Test-Path -Path $LogFilePath)) { - - # Create file and start logging - New-Item -Path $LogFilePath -ItemType File -Force | Out-Null - - $output = @() - $output += "********************************************************************************" - $output += " Logfile created at [$([DateTime]::Now)]" - $output += "********************************************************************************" - $output += "" - $output += "" - - $output | Out-File -Append $LogFilePath -Width 80 - } -} -function Write-LogFile { - param - ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [System.Management.Automation.VerboseRecord] - $Record, - - [Parameter(Mandatory = $false)] - [string] - $LogFilePath = $Settings.LogFilePath - ) - - begin { - New-LogFile -LogFilePath $LogFilePath - } - - process { - $output = @() - $formattedDate = Get-Date -Format 'yyyy-MM-dd HH:mm:ss' - $levelText = '[WARNING]:' - - $output += "$formattedDate $levelText" - $output += $Record.Message - $output += "--------------------------------------------------------------------------------" - $output += "" - - $output | Out-File -Append $LogFilePath -Width 80 - } -} -#endregion - -#region Helper classes -enum AuditResultStatus { - True - False - Warning - None -} - -enum Existence { - None - Yes -} - -class ConfigMetadata -{ - [string] $Id - [string] $Task - $Config - - [ConfigAudit] Test() { - $testResult = $this.Config.Test() - return [ConfigAudit]@{ - Id = $this.Id - Task = $this.Task - Status = $testResult.Status - Message = $testResult.Message - } - } -} - -class DomainRoleConfigMetadata : ConfigMetadata -{ - [string[]] $DomainRole = @() - - [ConfigAudit] Test() { - if ($this.DomainRole.Count -gt 0) { - $domainRoles = $this.DomainRole | ForEach-Object { [DomainRole]$_ } - if ((Get-DomainRole) -notin $domainRoles) { - return [ConfigAudit]@{ - Id = $this.Id - Task = $this.Task - Status = [AuditResultStatus]::None - Message = 'Not applicable. This audit applies only to {0}.' -f ($this.DomainRole -join ' and ') - } - } - } - return ([ConfigMetadata]$this).Test() - } -} - -class AuditResult -{ - [AuditResultStatus] $Status - [string] $Message -} - -class ConfigAudit { - [string] $Id - [string] $Task - [AuditResultStatus] $Status - [string] $Message -} - -class ValueRange -{ - [string] $Operation - $Value - - [bool] Test($value) { - if (($this.Operation -eq "equals") -or ($this.Operation -eq "not equal")) { - $negation = $false - if ($this.Operation -eq "not equal") { - $negation = $true - } - if ($value.Count -ne $this.Value.Count) { - return $negation - } - [array]$tvalue = $value - [array]$tthisvalue = $this.Value - for ($i = 0; $i -lt $tthisvalue.Count; $i++) { - if ($tvalue[$i] -ne $tthisvalue[$i]) { - return $negation - } - } - return -not ($negation) - } - elseif ($this.Operation -eq "greater than") { - return [int]$value -gt [int]$this.Value - } - elseif ($this.Operation -eq "less than") { - return [int]$value -lt [int]$this.Value - } - elseif ($this.Operation -eq "greater than or equal") { - return [int]$value -ge [int]$this.Value - } - elseif ($this.Operation -eq "less than or equal") { - return [int]$value -le [int]$this.Value - } - elseif ($this.Operation -eq "pattern match") { - return $value -match $this.Value - } - else { - return $False - } - } -} - -#region Configs -class ComplexConfig -{ - [string] $Operation - $Configs - - [AuditResult] Test() { - if ($this.Operation -eq "AND") { - foreach ($config in $this.Configs) { - $result = $config.Test() - if ($result.Status -eq [AuditResultStatus]::False) { - return $result - } - } - - # check for other types - return [AuditResult]@{ - Status = [AuditResultStatus]::True - Message = "Compliant" - } - } - elseif ($this.Operation -eq "OR") { - $messages = @() - foreach ($config in $this.Configs) { - $result = $config.Test() - if ($result.Status -eq [AuditResultStatus]::True) { - return [AuditResult]@{ - Status = [AuditResultStatus]::True - Message = "Compliant" - } - } - - # check for other types - $messages += $result.Message - } - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = $messages -join "`n" - } - } - return $False - } -} - -class RegistryConfig -{ - [Existence] $Existence - [string] $Key - [string] $ValueName - [ValueRange] $ValueData - [string] $ValueType - - [AuditResult] Test() { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $this.Key -Name $this.ValueName ` - | Select-Object -ExpandProperty $this.ValueName - - if ($this.Existence -eq [Existence]::None) { - return [AuditResult]@{ - Message = "Registry value found." - Status = [AuditResultStatus]::False - } - } - - if (-not ($this.ValueData.Test($regValues))) { - $regValue = $regValues -join ", " - return [AuditResult]@{ - Message = "Registry value is '$regValue'. Expected: $($this.ValueData.Operation) $($this.ValueData.Value)" - Status = [AuditResultStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - if ($this.Existence -eq [Existence]::None) { - return [AuditResult]@{ - Message = "Compliant. Registry value not found." - Status = [AuditResultStatus]::True - } - } - - return [AuditResult]@{ - Message = "Registry value not found." - Status = [AuditResultStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - if ($this.Existence -eq [Existence]::None) { - return [AuditResult]@{ - Message = "Compliant. Registry key not found." - Status = [AuditResultStatus]::True - } - } - - return [AuditResult]@{ - Message = "Registry key not found." - Status = [AuditResultStatus]::False - } - } - - return [AuditResult]@{ - Message = "Compliant" - Status = [AuditResultStatus]::True - } - } -} - -class UserRightConfig -{ - [string] $UserRight - [string[]] $Identity - - [AuditResult] Test() { - $securityPolicy = Get-SecurityPolicy - $currentUserRights = $securityPolicy["Privilege Rights"][$this.UserRight] - - $identityAccounts = $this.Identity | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } - - $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } - $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } - - if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { - $messages = @() - if ($unexpectedUsers.Count -gt 0) { - $messages += 'The user right setting contains following unexpected users: ' + ($unexpectedUsers -join ", ") - } - if ($missingUsers.Count -gt 0) { - $messages += 'The user right setting does not contain the following users: ' + ($missingUsers -join ", ") - } - $message = $messages -join [System.Environment]::NewLine - - Write-Verbose -Message $message - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = $message - } - } - - return [AuditResult]@{ - Status = [AuditResultStatus]::True - Message = "Compliant" - } - } -} - -class AccountPolicyConfig -{ - [string] $Policy - [ValueRange] $Value - - [AuditResult] Test() { - $securityPolicy = Get-SecurityPolicy - $currentAccountPolicy = $securityPolicy["System Access"][$this.Policy] - - if ($null -eq $currentAccountPolicy) { - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = "Currently not set." - } - } - - if (-not $this.Value.Test($currentAccountPolicy)) { - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = "Currently set to: $currentAccountPolicy. Expected: $($this.Value.Operation) $($this.Value.Value)" - } - } - - return [AuditResult]@{ - Status = [AuditResultStatus]::True - Message = "Compliant" - } - } -} - -class AuditPolicyConfig -{ - [string] $Subcategory - [string] $AuditFlag - - [AuditResult] Test() { - # Get the audit policy for the subcategory $subcategory - $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory $this.Subcategory - $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" - - # auditpol does not throw exceptions, so test the results and throw if needed - if ($LASTEXITCODE -ne 0) { - $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" - throw [System.ArgumentException] $errorString - Write-Error -Message $errorString - } - - if ($null -eq $auditPolicyString) { - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = "Couldn't get setting. Auditpol returned nothing." - } - } - - # Remove empty lines and headers - $line = $auditPolicyString ` - | Where-Object { $_ } ` - | Select-Object -Skip 3 - - if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = "Couldn't get setting." - } - } - - $setting = $Matches[0] - - if ($setting -ne $this.AuditFlag) { - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = "Set to: $setting" - } - } - - return [AuditResult]@{ - Status = [AuditResultStatus]::True - Message = "Compliant" - } - } -} - -class FirewallProfileConfig -{ - [string] $Profile - [string] $Setting - [ValueRange] $Value - - [AuditResult] Test() { - Write-Verbose -Message "Profile: $($this.Profile), Setting: $($this.Setting), Value: $($this.Value)" - - $firewallProfileArgs = @{ Name = $this.Profile } - if ($this.Setting -like "AllowLocal*Rules") { - $this.firewallProfileArgs.PolicyStore = "localhost" - } - - $profileSettings = Get-NetFirewallProfile @firewallProfileArgs - $currentValue = $profileSettings | Select-Object -ExpandProperty $this.Setting - - if (-not $this.Value.Test($currentValue)) { - return [AuditResult]@{ - Status = [AuditResultStatus]::False - Message = "Profile setting '$this.Setting' is currently set to '$currentValue'. Expected value is '$this.Value'." - } - } - - return [AuditResult]@{ - Status = [AuditResultStatus]::True - Message = "Compliant" - } - } -} -#endregion - -function Get-DomainRoleConfigMetadata { - [CmdletBinding()] - [OutputType([ConfigMetadata])] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] - $ConfigMetadata - ) - - process { - $obj = [DomainRoleConfigMetadata]@{ - Id = $ConfigMetadata.Id - Task = $ConfigMetadata.Task - Config = Get-Config -Config $ConfigMetadata.Config - } - if ($ConfigMetadata.ContainsKey("DomainRole")) { - $obj.DomainRole = $ConfigMetadata.DomainRole - } - return $obj - } -} - -function Get-ConfigMetadata { - [CmdletBinding()] - [OutputType([ConfigMetadata])] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] - $ConfigMetadata - ) - - process { - return [ConfigMetadata]@{ - Id = $ConfigMetadata.Id - Task = $ConfigMetadata.Task - Config = Get-Config -Config $ConfigMetadata.Config - } - } -} - -function Get-Config { - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] - $Config - ) - - process { - # remove side effects on input - $Config = $Config.Clone() - - if ($Config.Type -eq "ComplexConfig") { - $Config.Remove("Type") - $Config.Configs = $Config.Configs | Get-Config - return New-Object -TypeName "ComplexConfig" -Property $Config - } - elseif ($Config.Type -eq "RegistryConfig") { - $Config.Remove("Type") - return New-Object -TypeName "RegistryConfig" -Property $Config - } - elseif ($Config.Type -eq "UserRightConfig") { - $Config.Remove("Type") - return New-Object -TypeName "UserRightConfig" -Property $Config - } - elseif ($Config.Type -eq "AccountPolicyConfig") { - $Config.Remove("Type") - return New-Object -TypeName "AccountPolicyConfig" -Property $Config - } - elseif ($Config.Type -eq "AuditPolicyConfig") { - $Config.Remove("Type") - return New-Object -TypeName "AuditPolicyConfig" -Property $Config - } - elseif ($Config.Type -eq "FirewallProfileConfig") { - $Config.Remove("Type") - return New-Object -TypeName "FirewallProfileConfig" -Property $Config - } - } -} -#endregion - -#region Helper functions -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} - -function ConvertTo-NTAccountUser { - [CmdletBinding()] - [OutputType([hashtable])] - Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [string] $Name - ) - - process { - # Identity doesn't exist on when Hyper-V isn't installed - if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and - (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { - return $null - } - - Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" - if ($Name -match "^(S-[0-9-]{3,})") { - $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name - } - else { - $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) - } - return @{ - Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) - Sid = $sidAccount.Value - } - } -} - -function Get-SecurityPolicy { - [CmdletBinding()] - param () - - # get a temporary file to save and process the secedit settings - $securityPolicyPath = Join-Path -Path $env:TEMP -ChildPath 'SecurityPolicy.inf' - - # export the secedit settings to this temporary file - Write-Verbose "[Get-SecurityPolicy] Exporting local security policies from secedit into tempory file: $securityPolicyPath" - secedit.exe /export /cfg $securityPolicyPath | Out-Null - - $config = @{} - switch -regex -file $securityPolicyPath { - "^\[(.+)\]" { # Section - $section = $matches[1] - $config[$section] = @{} - } - "(.+?)\s*=(.*)" { # Key - $name = $matches[1] - $value = $matches[2] -replace "\*" - $config[$section][$name] = $value - } - } - - Write-Verbose "[Get-SecurityPolicy] Converting identities in 'Privilege Rights' section" - $privilegeRights = @{} - foreach ($key in $config["Privilege Rights"].Keys) { - # Make all accounts SIDs - $accounts = $($config["Privilege Rights"][$key] -split ",").Trim() | ConvertTo-NTAccountUser -Verbose:$VerbosePreference | Where-Object { $_ -ne $null } - $privilegeRights[$key] = $accounts - } - $config["Privilege Rights"] = $privilegeRights - - # sanitize input - $systemAccess = @{} - foreach ($key in $config["System Access"].Keys) { - $systemAccess[$key] = $config["System Access"][$key].Trim() - } - $config["System Access"] = $systemAccess - - return $config -} - -# Get domain role -# 0 {"Standalone Workstation"} -# 1 {"Member Workstation"} -# 2 {"Standalone Server"} -# 3 {"Member Server"} -# 4 {"Backup Domain Controller"} -# 5 {"Primary Domain Controller"} -function Get-DomainRole { - [DomainRole](Get-CimInstance -Class Win32_ComputerSystem).DomainRole -} - -function Get-PrimaryDomainSID { - <# - .SYNOPSIS - Obtains SID of the primary AD domain for the local computer - #> - - [CmdletBinding()] - Param() - # Note: this script obtains SID of the primary AD domain for the local computer. It works both - # if the local computer is a domain member (DomainRole = 1 or DomainRole = 3) - # or if the local computer is a domain controller (DomainRole = 4 or DomainRole = 4). - # The code works even under local user account and does not require calling user - # to be domain account. - - [string]$domainSID = $null - - [int]$domainRole = Get-DomainRole - - if (($domainRole -ne [DomainRole]::StandaloneWorkstation) -and ($domainRole -ne [DomainRole]::StandaloneServer)) { - - [string] $domain = Get-CimInstance Win32_ComputerSystem | Select-Object -Expand Domain - [string] $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value - $domainSID = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) - } - - return $domainSID -} - -function Get-LocalAdminName { - # The Administrators Group has the SID S-1-5-32-544 - return (Get-LocalGroupMember -SID "S-1-5-32-544").Name ` - | Where-Object { $_.StartsWith($env:COMPUTERNAME) } ` - | ForEach-Object { $_.Substring($env:COMPUTERNAME.Length + 1) } -} - -function Get-AuditPolicySubcategoryGUID { - Param( - [Parameter(Mandatory = $true)] - [string] $Subcategory - ) - switch ($Subcategory) { - # Information availabe with: auditpol /list /subcategory:* /v - # System - 'Security State Change' { "{0CCE9210-69AE-11D9-BED3-505054503030}" } - 'Security System Extension' { "{0CCE9211-69AE-11D9-BED3-505054503030}" } - 'System Integrity' { "{0CCE9212-69AE-11D9-BED3-505054503030}" } - 'IPsec Driver' { "{0CCE9213-69AE-11D9-BED3-505054503030}" } - 'Other System Events' { "{0CCE9214-69AE-11D9-BED3-505054503030}" } - # Logon/Logoff - 'Logon' { "{0CCE9215-69AE-11D9-BED3-505054503030}" } - 'Logoff' { "{0CCE9216-69AE-11D9-BED3-505054503030}" } - 'Account Lockout' { "{0CCE9217-69AE-11D9-BED3-505054503030}" } - 'IPsec Main Mode' { "{0CCE9218-69AE-11D9-BED3-505054503030}" } - 'IPsec Quick Mode' { "{0CCE9219-69AE-11D9-BED3-505054503030}" } - 'IPsec Extended Mode' { "{0CCE921A-69AE-11D9-BED3-505054503030}" } - 'Special Logon' { "{0CCE921B-69AE-11D9-BED3-505054503030}" } - 'Other Logon/Logoff Events' { "{0CCE921C-69AE-11D9-BED3-505054503030}" } - 'Network Policy Server' { "{0CCE9243-69AE-11D9-BED3-505054503030}" } - 'User / Device Claims' { "{0CCE9247-69AE-11D9-BED3-505054503030}" } - 'Group Membership' { "{0CCE9249-69AE-11D9-BED3-505054503030}" } - # Object Access - 'File System' { "{0CCE921D-69AE-11D9-BED3-505054503030}" } - 'Registry' { "{0CCE921E-69AE-11D9-BED3-505054503030}" } - 'Kernel Object' { "{0CCE921F-69AE-11D9-BED3-505054503030}" } - 'SAM' { "{0CCE9220-69AE-11D9-BED3-505054503030}" } - 'Certification Services' { "{0CCE9221-69AE-11D9-BED3-505054503030}" } - 'Application Generated' { "{0CCE9222-69AE-11D9-BED3-505054503030}" } - 'Handle Manipulation' { "{0CCE9223-69AE-11D9-BED3-505054503030}" } - 'File Share' { "{0CCE9224-69AE-11D9-BED3-505054503030}" } - 'Filtering Platform Packet Drop' { "{0CCE9225-69AE-11D9-BED3-505054503030}" } - 'Filtering Platform Connection' { "{0CCE9226-69AE-11D9-BED3-505054503030}" } - 'Other Object Access Events' { "{0CCE9227-69AE-11D9-BED3-505054503030}" } - 'Detailed File Share' { "{0CCE9244-69AE-11D9-BED3-505054503030}" } - 'Removable Storage' { "{0CCE9245-69AE-11D9-BED3-505054503030}" } - 'Central Policy Staging' { "{0CCE9246-69AE-11D9-BED3-505054503030}" } - # Privelege Use - 'Sensitive Privilege Use' { "{0CCE9228-69AE-11D9-BED3-505054503030}" } - 'Non Sensitive Privilege Use' { "{0CCE9229-69AE-11D9-BED3-505054503030}" } - 'Other Privilege Use Events' { "{0CCE922A-69AE-11D9-BED3-505054503030}" } - # Detailed Tracking - 'Process Creation' { "{0CCE922B-69AE-11D9-BED3-505054503030}" } - 'Process Termination' { "{0CCE922C-69AE-11D9-BED3-505054503030}" } - 'DPAPI Activity' { "{0CCE922D-69AE-11D9-BED3-505054503030}" } - 'RPC Events' { "{0CCE922E-69AE-11D9-BED3-505054503030}" } - 'Plug and Play Events' { "{0CCE9248-69AE-11D9-BED3-505054503030}" } - 'Token Right Adjusted Events' { "{0CCE924A-69AE-11D9-BED3-505054503030}" } - # Policy Change - 'Audit Policy Change' { "{0CCE922F-69AE-11D9-BED3-505054503030}" } - 'Authentication Policy Change' { "{0CCE9230-69AE-11D9-BED3-505054503030}" } - 'Authorization Policy Change' { "{0CCE9231-69AE-11D9-BED3-505054503030}" } - 'MPSSVC Rule-Level Policy Change' { "{0CCE9232-69AE-11D9-BED3-505054503030}" } - 'Filtering Platform Policy Change' { "{0CCE9233-69AE-11D9-BED3-505054503030}" } - 'Other Policy Change Events' { "{0CCE9234-69AE-11D9-BED3-505054503030}" } - # Account Management - 'User Account Management' { "{0CCE9235-69AE-11D9-BED3-505054503030}" } - 'Computer Account Management' { "{0CCE9236-69AE-11D9-BED3-505054503030}" } - 'Security Group Management' { "{0CCE9237-69AE-11D9-BED3-505054503030}" } - 'Distribution Group Management' { "{0CCE9238-69AE-11D9-BED3-505054503030}" } - 'Application Group Management' { "{0CCE9239-69AE-11D9-BED3-505054503030}" } - 'Other Account Management Events' { "{0CCE923A-69AE-11D9-BED3-505054503030}" } - # DS Access - 'Directory Service Access' { "{0CCE923B-69AE-11D9-BED3-505054503030}" } - 'Directory Service Changes' { "{0CCE923C-69AE-11D9-BED3-505054503030}" } - 'Directory Service Replication' { "{0CCE923D-69AE-11D9-BED3-505054503030}" } - 'Detailed Directory Service Replication' { "{0CCE923E-69AE-11D9-BED3-505054503030}" } - # Account Logon - 'Credential Validation' { "{0CCE923F-69AE-11D9-BED3-505054503030}" } - 'Kerberos Service Ticket Operations' { "{0CCE9240-69AE-11D9-BED3-505054503030}" } - 'Other Account Logon Events' { "{0CCE9241-69AE-11D9-BED3-505054503030}" } - 'Kerberos Authentication Service' { "{0CCE9242-69AE-11D9-BED3-505054503030}" } - - Default { "" } - } -} - -function Convert-ToAuditInfo { - [CmdletBinding()] - [OutputType([AuditInfo])] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Psobject] $auditObject - ) - - process { - return [AuditInfo]@{ - Id = $auditObject.Name - Task = $auditObject.Task - Message = $auditObject.Status - Audit = $auditObject.Passed - } - } -} -#endregion - -#region Audit functions -function Get-RoleAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [string[]] $Role = @("MemberWorkstation","StandaloneWorkstation") - ) - - process { - $domainRoles = $Role | ForEach-Object { [DomainRole]$_ } - if ((Get-DomainRole) -notin $domainRoles) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Not applicable. This audit applies to " + ($Role -join " and ") + "." - Audit = [AuditStatus]::None - } - } - return $null - } -} - -function Get-RegistryAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false - ) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value found." - Audit = [AuditStatus]::False - } - } - - if (-not (& $Predicate $regValues)) { - Write-Verbose "$($Id): Registry value $Name in registry key $Path is not correct." - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from expected value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-Verbose "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not found." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-Verbose "$($Id): Could not get key $Name in registry key $path." - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-UserRightPolicyAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'SeNetworkLogonRight', - 'SeTcbPrivilege', - 'SeBackupPrivilege', - 'SeChangeNotifyPrivilege', - 'SeSystemtimePrivilege', - 'SeCreatePagefilePrivilege', - 'SeDebugPrivilege', - 'SeRemoteShutdownPrivilege', - 'SeAuditPrivilege', - 'SeIncreaseQuotaPrivilege', - 'SeLoadDriverPrivilege', - 'SeBatchLogonRight', - 'SeServiceLogonRight', - 'SeInteractiveLogonRight', - 'SeSecurityPrivilege', - 'SeSystemEnvironmentPrivilege', - 'SeProfileSingleProcessPrivilege', - 'SeSystemProfilePrivilege', - 'SeAssignPrimaryTokenPrivilege', - 'SeTakeOwnershipPrivilege', - 'SeDenyNetworkLogonRight', - 'SeDenyBatchLogonRight', - 'SeDenyServiceLogonRight', - 'SeDenyInteractiveLogonRight', - 'SeUndockPrivilege', - 'SeManageVolumePrivilege', - 'SeRemoteInteractiveLogonRight', - 'SeDenyRemoteInteractiveLogonRight', - 'SeImpersonatePrivilege', - 'SeCreateGlobalPrivilege', - 'SeIncreaseWorkingSetPrivilege', - 'SeTimeZonePrivilege', - 'SeCreateSymbolicLinkPrivilege', - 'SeDelegateSessionUserImpersonatePrivilege', - 'SeCreateTokenPrivilege', - 'SeCreatePermanentPrivilege', - 'SeIncreaseBasePriorityPrivilege', - 'SeLockMemoryPrivilege', - 'SeRestorePrivilege', - 'SeTrustedCredManAccessPrivilege', - 'SeEnableDelegationPrivilege', - 'SeRelabelPrivilege', - 'SeShutdownPrivilege' - )] - [string] $Policy, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [AllowEmptyCollection()] - [string[]] $Identity - ) - - process { - $securityPolicy = Get-SecurityPolicy -Verbose:$VerbosePreference - $currentUserRights = $securityPolicy["Privilege Rights"][$Policy] - - $identityAccounts = $Identity | ConvertTo-NTAccountUser | Where-Object { $_ -ne $null } - - $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } - $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } - - if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { - $messages = @() - if ($unexpectedUsers.Count -gt 0) { - $messages += 'The user right setting contains following unexpected users: ' + ($unexpectedUsers -join ", ") - } - if ($missingUsers.Count -gt 0) { - $messages += 'The user right setting does not contain the following users: ' + ($missingUsers -join ", ") - } - $message = $messages -join [System.Environment]::NewLine - - Write-Verbose -Message $message - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $message - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-AuditPolicyAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'Security System Extension', - 'System Integrity', - 'IPsec Driver', - 'Other System Events', - 'Security State Change', - 'Logon', - 'Logoff', - 'Account Lockout', - 'IPsec Main Mode', - 'IPsec Quick Mode', - 'IPsec Extended Mode', - 'Special Logon', - 'Other Logon/Logoff Events', - 'Network Policy Server', - 'User / Device Claims', - 'Group Membership', - 'File System', - 'Registry', - 'Kernel Object', - 'SAM', - 'Certification Services', - 'Application Generated', - 'Handle Manipulation', - 'File Share', - 'Filtering Platform Packet Drop', - 'Filtering Platform Connection', - 'Other Object Access Events', - 'Detailed File Share', - 'Removable Storage', - 'Central Policy Staging', - 'Non Sensitive Privilege Use', - 'Other Privilege Use Events', - 'Sensitive Privilege Use', - 'Process Creation', - 'Process Termination', - 'DPAPI Activity', - 'RPC Events', - 'Plug and Play Events', - 'Token Right Adjusted Events', - 'Audit Policy Change', - 'Authentication Policy Change', - 'Authorization Policy Change', - 'MPSSVC Rule-Level Policy Change', - 'Filtering Platform Policy Change', - 'Other Policy Change Events', - 'Computer Account Management', - 'Security Group Management', - 'Distribution Group Management', - 'Application Group Management', - 'Other Account Management Events', - 'User Account Management', - 'Directory Service Access', - 'Directory Service Changes', - 'Directory Service Replication', - 'Detailed Directory Service Replication', - 'Kerberos Service Ticket Operations', - 'Other Account Logon Events', - 'Kerberos Authentication Service', - 'Credential Validation')] - [string] $Subcategory, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'Success', - 'Failure', - 'Success and Failure', - 'No Auditing')] - [string] $AuditFlag - ) - - process { - # Get the audit policy for the subcategory $subcategory - $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory $Subcategory - $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" - - # auditpol does not throw exceptions, so test the results and throw if needed - if ($LASTEXITCODE -ne 0) { - $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" - throw [System.ArgumentException] $errorString - Write-Error -Message $errorString - } - - if ($null -eq $auditPolicyString) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Couldn't get setting. Auditpol returned nothing." - Audit = [AuditStatus]::False - } - } - - # Remove empty lines and headers - $line = $auditPolicyString ` - | Where-Object { $_ } ` - | Select-Object -Skip 3 - - if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Couldn't get setting." - Audit = [AuditStatus]::False - } - } - - $setting = $Matches[0] - - if ($setting -ne $AuditFlag) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Set to: $setting" - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-WindowsOptionalFeatureAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Feature - ) - - process { - $installState = (Get-WindowsOptionalFeature -Online -FeatureName $Feature).State - - if ($installState -ne "Disabled") { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "The feature is not disabled." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -enum GARights { - GENERIC_READ = 0x80000000 - GENERIC_WRITE = 0x40000000 - GENERIC_EXECUTE = 0x20000000 - GENERIC_ALL = 0x10000000 -} - -# See https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-security-and-access-rights for more information -$GAToFSRMapping = @{ - [GARights]::GENERIC_READ = ` - [FileSystemRights]::ReadAttributes -bor ` - [FileSystemRights]::ReadData -bor ` - [FileSystemRights]::ReadExtendedAttributes -bor ` - [FileSystemRights]::ReadPermissions -bor ` - [FileSystemRights]::Synchronize - [GARights]::GENERIC_WRITE = ` - [FileSystemRights]::AppendData -bor ` - [FileSystemRights]::WriteAttributes -bor ` - [FileSystemRights]::WriteData -bor ` - [FileSystemRights]::WriteExtendedAttributes -bor ` - [FileSystemRights]::ReadPermissions -bor ` - [FileSystemRights]::Synchronize - [GARights]::GENERIC_EXECUTE = ` - [FileSystemRights]::ExecuteFile -bor ` - [FileSystemRights]::ReadPermissions -bor ` - [FileSystemRights]::ReadAttributes -bor ` - [FileSystemRights]::Synchronize - [GARights]::GENERIC_ALL = ` - [FileSystemRights]::FullControl -} - -function Convert-FileSystemRight { - param( - [Parameter(Mandatory = $true)] - [FileSystemRights] $OriginalRights - ) - - [FileSystemRights]$MappedRights = [FileSystemRights]::new() - - # map generic access right - foreach ($GAR in $GAToFSRMapping.Keys) { - if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { - $MappedRights = $MappedRights -bor $GAToFSRMapping[$GAR] - } - } - - # mask standard access rights and object-specific access rights - $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) - - return $MappedRights -} - -# Non official mappings -$GAToRRMaping = @{ - [GARights]::GENERIC_READ = ` - [RegistryRights]::ReadKey - [GARights]::GENERIC_WRITE = ` - [RegistryRights]::WriteKey - [GARights]::GENERIC_ALL = ` - [RegistryRights]::FullControl -} - -function Get-FileSystemPermissionsAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Target, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [hashtable] $PrincipalRights - ) - - process { - if ($Target -match "(%(.+)%)") { - $varName = $Matches[2] - $replaceValue = (Get-Item -Path "Env:$varName").Value - $Target = $Target.Replace($Matches[1], $replaceValue) - } - - $acls = (Get-Acl $Target).Access - - Write-Verbose "File system permissions for target: $Target)" - - $prinicpalsWithTooManyRights = $acls | Where-Object { - $_.IdentityReference.Value -NotIn $PrincipalRights.Keys - } - $principalsWithWrongRights = $acls ` - | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` - | Where-Object { - # convert string to rights enum - $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } - $mappedRights = Convert-FileSystemRight -OriginalRights $_.FileSystemRights - $mappedRights -notin $referenceRights - } - - if (($prinicpalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { - $messages = @() - $messages += $prinicpalsWithTooManyRights | ForEach-Object { - $mappedRights = Convert-FileSystemRight -OriginalRights $_.FileSystemRights - "Unexpected '$($_.IdentityReference)' with access '$($mappedRights)'" - } - $messages += $principalsWithWrongRights | ForEach-Object { - $idKey = $_.IdentityReference.Value - $mappedRights = Convert-FileSystemRight -OriginalRights $_.FileSystemRights - "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" - }.GetNewClosure() - $messages | ForEach-Object { Write-Verbose "$($Id): $_" } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $messages -join "; " - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Convert-RegistryRight { - param( - [Parameter(Mandatory = $true)] - [RegistryRights] $OriginalRights - ) - - [RegistryRights]$MappedRights = [RegistryRights]::new() - - # map generic access right - foreach ($GAR in $GAToRRMaping.Keys) { - if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { - $MappedRights = $MappedRights -bor $GAToRRMaping[$GAR] - } - } - - # mask standard access rights and object-specific access rights - $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) - - return $MappedRights -} - -function Get-RegistryPermissionsAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Target, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [hashtable] $PrincipalRights - ) - - process { - if ($Target -match "(%(.+)%)") { - $varName = $Matches[2] - $replaceValue = (Get-Item -Path "Env:$varName").Value - $Target = $Target.Replace($Matches[1], $replaceValue) - } - - $acls = (Get-Acl $Target).Access - - Write-Verbose "Registry permissions for target: $Target)" - - $prinicpalsWithTooManyRights = $acls | Where-Object { - $_.IdentityReference.Value -NotIn $PrincipalRights.Keys - } - $principalsWithWrongRights = $acls ` - | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` - | Where-Object { - # convert string to rights enum - $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } - $mappedRights = Convert-RegistryRight -OriginalRights $_.RegistryRights - $mappedRights -notin $referenceRights - } - - if (($prinicpalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { - $messages = @() - $messages += $prinicpalsWithTooManyRights | ForEach-Object { - $mappedRights = Convert-RegistryRight -OriginalRights $_.RegistryRights - "Unexpected '$($_.IdentityReference)' with access '$($mappedRights)'" - } - $messages += $principalsWithWrongRights | ForEach-Object { - $idKey = $_.IdentityReference.Value - $mappedRights = Convert-RegistryRight -OriginalRights $_.RegistryRights - "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" - }.GetNewClosure() - $messages | ForEach-Object { Write-Verbose -Message "$($Id): $_" } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $messages -join "; " - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-FirewallProfileAudit { - [CmdletBinding()] - [OutputType([AuditInfo])] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Profile, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Setting, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Value - ) - - process { - Write-Verbose -Message "Profile: $Profile, Setting: $Setting, Value: $Value" - - $firewallProfileArgs = @{ Name = $Profile } - if ($Setting -like "AllowLocal*Rules") { - $firewallProfileArgs.PolicyStore = "localhost" - } - - $profileSettings = Get-NetFirewallProfile @firewallProfileArgs - $currentValue = $profileSettings | Select-Object -ExpandProperty $Setting - - if ($currentValue -ne $Value) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Profile setting '$Setting' is currently set to '$currentValue'. Expected value is '$Value'." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -#endregion - - -function New-AuditPipeline { - [CmdletBinding()] - [OutputType([scriptblock])] - param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions - ) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - - -#region Audits - -class BenchmarkSection -{ - [string] $Name - [ConfigMetadata[]] $Configs -} - -class Benchmark -{ - [string] $Name - [string] $Description - [BenchmarkSection[]] $Sections - - # Benchmark([hashtable] $benchmark) { - # foreach ($key in $benchmark.Keys) { - # $this.Sections += [BenchmarkSection]@{ - # Name = $benchmark[$key].Name - # Configs = $benchmark[$key].Configs - # } - # } - # } -} - -function Get-BenchmarkSectionReport { - [CmdletBinding()] - [OutputType([hashtable])] - param ( - [Parameter(Mandatory = $true)] - [BenchmarkSection] - $Section - ) - - $audits = @() - foreach ($config in $Section.Configs) { - try { - $audit = $config.Test() - $audits += [AuditInfo]@{ - Id = $config.Id - Task = $config.Task - Message = $audit.Message - Audit = $audit.Status - } - } - catch { - Write-Error @_ - $audits += [AuditInfo]@{ - Id = $config.Id - Task = $config.Task - Message = "An error occured!" - Audit = [AuditStatus]::None - } - } - } - return @{ - Title = $Section.Name - AuditInfos = $audits - } -} - -function Get-BenchmarkReport { - [CmdletBinding()] - [OutputType([hashtable])] - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Benchmark] - $Benchmark - ) - - $subSections = @() - foreach ($section in $benchmark.Sections) { - $subSections += Get-BenchmarkSectionReport -Section $section - } - - return @{ - Title = $Benchmark.Name - Description = $Benchmark.Description - SubSections = $subSections - } -} -#endregion - -class AdapterConfig { - $Data - [scriptblock] $Pipeline - [bool] $ShouldPreprocessSpecialValue - - [AuditResult] Test() { - $vals = $this.Data - if ($this.ShouldPreprocessSpecialValue) { - $vals = $vals | PreprocessSpecialValueSetting - } - $ret = $vals | &$this.Pipeline - - return [AuditResult]@{ - Status = [AuditResultStatus]($ret.Audit) - Message = $ret.Message - } - } -} - -function Get-AdapterConfigMetadata { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] - $Config, - - [Parameter(Mandatory = $true)] - [scriptblock] - $Pipeline, - - [switch] - $ShouldPreprocessSpecialValue = $false - ) - - process { - return [ConfigMetadata]@{ - Id = $Config.Id - Task = $Config.Task - Config = [AdapterConfig]@{ - Data = $Config - Pipeline = $Pipeline - ShouldPreprocessSpecialValue = $ShouldPreprocessSpecialValue - } - } - } -} - -function Get-CisBenchmark { - [CmdletBinding()] - [OutputType([Benchmark])] - param() - - return [Benchmark]@{ - Name = "CIS Benchmarks" - Description = "This section contains all benchmarks from CIS Microsoft Windows 10 Enterprise Release 1709 Benchmark v1.4.0." - Sections = @( - [BenchmarkSection]@{ - Name = "Registry Settings/Group Policies" - Configs = $CisBenchmarks.RegistrySettings | Get-ConfigMetadata - } - [BenchmarkSection]@{ - Name = "User Rights Assignment" - Configs = $CisBenchmarks.UserRights | Get-ConfigMetadata - } - [BenchmarkSection]@{ - Name = "Account Policies" - Configs = $CisBenchmarks.AccountPolicies | Get-ConfigMetadata - } - [BenchmarkSection]@{ - Name = "Windows Firewall with Advanced Security" - Configs = $CisBenchmarks.AuditPolicies | Get-ConfigMetadata - } - [BenchmarkSection]@{ - Name = "Advanced Audit Policy Configuration" - Configs = $CisBenchmarks.AuditPolicies | Get-ConfigMetadata - } - ) - } -} - -function Get-DisaBenchmark { - [CmdletBinding()] - [OutputType([Benchmark])] - param() - - return [Benchmark]@{ - Name = "DISA Recommendations" - Description = "This section contains all DISA Windows 10 Security Technical Implementation Guide V1R16." - Sections = @( - [BenchmarkSection]@{ - Name = "Registry Settings/Group Policies" - Configs = $DisaRequirements.RegistrySettings ` - | Get-AdapterConfigMetadata ` - -Pipeline (New-AuditPipeline ${Function:Get-RegistryAudit}) ` - -ShouldPreprocessSpecialValue - } - [BenchmarkSection]@{ - Name = "User Rights Assignment" - Configs = $DisaRequirements.UserRights | Get-DomainRoleConfigMetadata - } - [BenchmarkSection]@{ - Name = "Account Policies" - Configs = $DisaRequirements.AccountPolicies | Get-ConfigMetadata - } - [BenchmarkSection]@{ - Name = "Windows Features" - Configs = $DisaRequirements.WindowsOptionalFeatures ` - | Get-AdapterConfigMetadata ` - -Pipeline (New-AuditPipeline ${Function:Get-WindowsOptionalFeatureAudit}) ` - -ShouldPreprocessSpecialValue - } - [BenchmarkSection]@{ - Name = "File System Permissions" - Configs = $DisaRequirements.FileSystemPermissions ` - | Get-AdapterConfigMetadata ` - -Pipeline (New-AuditPipeline ${Function:Get-FileSystemPermissionsAudit}) ` - -ShouldPreprocessSpecialValue - } - [BenchmarkSection]@{ - Name = "Registry Permissions" - Configs = $DisaRequirements.RegistryPermissions ` - | Get-AdapterConfigMetadata ` - -Pipeline (New-AuditPipeline ${Function:Get-RegistryPermissionsAudit}) ` - -ShouldPreprocessSpecialValue - } - ) - } -} - -#region Report-Generation - -function Get-Windows10Report { - [CmdletBinding()] - [OutputType([hashtable])] - param() - - return @{ - Title = "Windows 10 Report" - ModuleName = "Windows10Audit" - BasedOn = @( - "Windows 10 Security Technical Implementation Guide V1R16 2019-01-25" - "CIS Microsoft Windows 10 Enterprise Release 1709 Benchmark v1.4.0" - ) - Sections = @( - (Get-DisaBenchmark | Get-BenchmarkReport) - (Get-CisBenchmark | Get-BenchmarkReport) - ) - } -} - -function Save-Windows10Report { - [CmdletBinding()] - param( - [Parameter(Mandatory = $true)] - [string] - $Path, - - [Parameter(Mandatory = $false)] - [switch] - $Force, - - [Parameter(Mandatory = $false)] - [switch] - $NoClobber - ) - - Get-Windows10Report | Export-Clixml -Path $Path -Force:$Force -NoClobber:$NoClobber -} - -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> -function Save-Windows10HtmlReport { - [CmdletBinding()] - param( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - [switch] $DarkMode - ) - - $parent = Split-Path $Path - if (-not (Test-Path $parent)) { - Write-Error "The path doesn't not exist!" - } - - $report = Get-Windows10Report - Get-ATAPHtmlReport @report -Path $Path -DarkMode:$DarkMode -} - -Set-Alias -Name Get-Windows10HtmlReport -Value Save-Windows10HtmlReport -Set-Alias -Name Save-HtmlReport -Value Save-Windows10HtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-Windows10HtmlReport -Set-Alias -Name shr -Value Save-Windows10HtmlReport -#endregion \ No newline at end of file diff --git a/Windows10GDPRAudit/README.md b/Windows10GDPRAudit/README.md deleted file mode 100644 index 79a6c484..00000000 --- a/Windows10GDPRAudit/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Windows 10 General Data Protection Regulation (GDPR) Audit - -based on -* _Windows 10 GDPR settings by Microsoft_ -* _Windows 10 telemetry settings by Bundesamt für Sicherheit in der Informationstechnik (BSI)_ - -## Overview - -The `Windows10GDPRAudit`-Module benchmarks the current systems settings with current GDPR recommendations from Microsoft and BSI. This module is designed for Windows 10. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Windows 10** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](https://github.com/fbprogmbh/Audit-Test-Automation/tree/master/ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the Windows 10 GDPR Audit module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Windows10GDPRAudit -Verbose -``` -3. Generate a report with `Get-Windows10GDPRHtmlReport` For example: -```PowerShell -Get-Windows10GDPRHtmlReport -Path "MyReport.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. - -## Remarks - -None. diff --git a/Windows10GDPRAudit/Sample/sample_report.html b/Windows10GDPRAudit/Sample/sample_report.html deleted file mode 100644 index fbf12829..00000000 --- a/Windows10GDPRAudit/Sample/sample_report.html +++ /dev/null @@ -1 +0,0 @@ -Windows 10 GDPR Audit Report [10/23/2019 01:43:34]

Windows 10 GDPR Audit Report

Generated by the Windows10GDPRAudit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on GDPR settings by Microsoft, Bundesamt für Sicherheit in der Informationstechnik (BSI).

This report was generated at 10/23/2019 01:43:34 on DESKTOP-VSBMIM9.

HostnameDESKTOP-VSBMIM9
Build Number17763
Free disk space(GB) 102.9
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.585

Summary

A total of 119 tests have been run. 11 resulted in false. 0 resulted in warning.

  1. True 108 test(s) ≙ 90.76%
  2. False 11 test(s) ≙ 9.24%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%

Navigation

Click the link(s) below for quick access to a report section.

GDPR settings by Microsoft^

Id Task Message Audit
1 Turn off Automatic Root Certificates Update Compliant True
2.1.1 Disable Allow Cortana Compliant True
2.1.2 Disable Allow search and Cortana to use location Compliant True
2.1.3 Do not allow web search Compliant True
2.1.4 Don't search the web or display web results in Search Compliant True
2.1.5 Set Set what information is shared in Search to Anonymous info Compliant True
3.1 Prevent Windows from setting the time automatically Compliant True
3.2 Disable Windows NTP Client Compliant True
4 Prevent Windows from retrieving device metadata from the Internet Compliant True
5 Turn off Find My Device Compliant True
6 Disable Font Providers Compliant True
7 Turn off Insider Preview builds for Windows 10 Compliant True
8.0.1 Disable Suggested Sites Compliant True
8.0.2 Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar Compliant True
8.0.3 Turn off the auto-complete feature for web addresses Compliant True
8.0.4 Turn off browser geolocation Compliant True
8.0.5 Prevent managing SmartScreen filter Compliant True
8.0.6 Turn off Compatibility View. Compliant True
8.0.7 Turn off the flip ahead with page prediction feature Compliant True
8.0.8 Turn off background synchronization for feeds and Web Slices Compliant True
8.0.9 Disable Allow Online Tips Compliant True
8.0.10 Set home page blank Registry key or value not found False
8.0.11 Disable changing home page settings Registry key or value not found False
8.0.12 Prevent running First Run wizard Registry key or value not found False
8.0.13 Specify default behavior for a new tab Registry key or value not found False
8.1 Turn off Automatic download of the ActiveX VersionList Registry key or value not found False
9 Turn off License Manager related traffic Compliant True
10 Turn Off notifications network usage Compliant True
11 Turn off mail synchronization for Microsoft Accounts that are configured on the device Compliant True
12 Disable the Microsoft Account Sign-In Assistant Compliant True
13.1 Disable Allow Address Bar drop-down list suggestions Compliant True
13.2 Disable Allow configuration updates for the Books Library Compliant True
13.3 Disable Configure Autofill Compliant True
13.4 Configure Do Not Track Compliant True
13.5 Disable Configure Password Manager Compliant True
13.6 Disable Configure search suggestions in Address Bar Compliant True
13.7 Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) Compliant True
13.8 Disable Allow web content on New Tab page Compliant True
13.9 Configure corporate Home pages Compliant True
13.10 Prevent the First Run webpage from opening on Microsoft Edge Compliant True
13.11 Disable Compatibility View. Compliant True
14 Turn off Windows Network Connectivity Status Indicator active tests Compliant True
15.1 Turn off Automatic Download and Update of Map Data Compliant True
15.2 Turn off unsolicited network traffic on the Offline Maps settings page Compliant True
16.1 Prevent the usage of OneDrive for file storage Compliant True
16.2 Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable) Compliant True
18.1.1 Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID) Compliant True
18.1.2 Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID) Compliant True
18.1.3 Turn off Let websites provide locally relevant content by accessing my language list Registry key or value not found False
18.1.4 Turn off Let Windows track app launches to improve Start and search results Registry key or value not found False
18.2.1 Turn off Location for this device Compliant True
18.2.2 Turn off Location Compliant True
18.3.1 Turn off Let apps use my camera Compliant True
18.4.1 Turn off Let apps use my microphone Compliant True
18.5.1 Turn off notifications network usage Compliant True
18.5.2 Turn off Let apps access my notifications Compliant True
18.6.1 Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services Registry key or value not found False
18.6.2 Turn off updates to the speech recognition and speech synthesis models Compliant True
18.7.1 Turn off Let apps access my name, picture, and other account info Compliant True
18.8 Turn off Choose apps that can access contacts Compliant True
18.9.1 Turn off Let apps access my calendar Compliant True
18.10 Turn off Let apps access my call history Compliant True
18.11 Turn off Let apps access and send email Compliant True
18.12.1 Turn off Let apps read or send messages (text or MMS) Compliant True
18.12.3 Turn off Message Sync Compliant True
18.13.1 Turn off Let apps make phone calls Compliant True
18.14.1 Turn off Let apps control radios Compliant True
18.15.1 Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone Compliant True
18.15.2 Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone) Compliant True
18.16.1 Do not show feedback notificationsk Compliant True
18.16.2 Set Send your device data to Microsoft to Basic Compliant True
18.16.3 Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data Compliant True
18.16.4 Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data Registry value is wrong False
18.17 Turn off Let apps run in the background Compliant True
18.18 Turn off Let Windows and your apps use your motion data and collect motion history Compliant True
18.19 Set Let Windows apps access Tasks to Force Deny Compliant True
18.20 Let Windows apps access diagnostic information about other apps Compliant True
18.21 Turn off Inking & Typing data collection Compliant True
18.22.1 Disable Activity Feed Compliant True
18.22.2 Disable Allow publishing of User Activities Compliant True
18.22.3 Disable Allow upload of User Activities Compliant True
18.23.1 Disable Let Windows apps activate with voice Compliant True
18.23.2 Disable Allow publishing of User Activities Compliant True
19 Turn off KMS Client Online AVS Validation Compliant True
20 Disable Allow downloading updates to the Disk Failure Prediction Model Compliant True
21.1 Enable Do not sync Compliant True
21.2 Disable Allow users to turn syncing on Compliant True
21.3 Turn off Messaging cloud sync Registry key or value not found False
22 Set Teredo State to disabled state Compliant True
23 Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts Compliant True
24.0.1 Disable Join Microsoft MAPS Compliant True
24.0.3 Set Send file samples when further analysis is required to Never Send Compliant True
24.0.4 Set Define the order of sources for downloading definition updates to FileShares Compliant True
24.0.5 Define Define file shares for downloading definition updates to Nothing Compliant. Registry key or value not found True
24.0.6 Turn off Malicious Software Reporting Tool diagnostic data Compliant True
24.0.7 Turn off Enhanced Notifications as follows Compliant True
24.1.1 Disable Windows Defender Smartscreen Compliant True
24.1.2 Disable Windows Defender Smartscreen Compliant True
24.1.3 Disable Windows Defender Smartscreen Compliant True
25.1 Turn off all Windows spotlight features Registry value is wrong False
25.2 Do not display the Lock Screen Compliant True
25.3 Force a specific default lock screen image and logon image Compliant True
25.4 Turn off fun facts, tips, tricks, and more on lock screen Compliant True
25.5 Do not show Windows tips Compliant True
25.6 Turn off Microsoft consumer experiences Compliant True
26.1 Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded Compliant True
26.2 Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded Compliant True
27 Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app Compliant True
28.3 Enable the Download Mode and set the Download Mode to "Bypass" to prevent traffic Compliant True
29.1 Turn off Windows Update Compliant True
29.2 Turn off Windows Update Compliant True
29.3 Turn off Windows Update Compliant True
29.4 Turn off Windows Update Compliant True
29.5 Turn off Windows Update Compliant True
29.6 Turn off Windows Update Compliant True

Bundesamt für Sicherheit in der Informationstechnik (BSI)^

Id Task Message Audit
3.1.1 Configuration of the lowest telemetry-level Compliant True
3.1.2.1 Deactivation of the telemetry-service and etw-sessions - DiagTrack Compliant True
3.1.2.2 Deactivation of the telemetry-service and etw-sessions - Autologger-Diatrack-Listener Compliant True
3.1.3.1 Deactivation of telemetry according to Microsoft recommendation Compliant True
diff --git a/Windows10GDPRAudit/Windows10GDPRAudit.psd1 b/Windows10GDPRAudit/Windows10GDPRAudit.psd1 deleted file mode 100644 index 03eee726..00000000 --- a/Windows10GDPRAudit/Windows10GDPRAudit.psd1 +++ /dev/null @@ -1,71 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ -RootModule = 'Windows10GDPRAudit.psm1' -ModuleVersion = '1.0' -GUID = '2882d5ef-38e0-43df-9dd6-70523f8afd6c' -Author = 'Peter Maier' -CompanyName = 'FB Pro GmbH' -Copyright = '(c) 2019 FB Pro GmbH. All rights reserved.' -# Description = '' -# PowerShellVersion = '' -# PowerShellHostName = '' -# PowerShellHostVersion = '' -# DotNetFrameworkVersion = '' -# CLRVersion = '' -# RequiredModules = @() -# RequiredAssemblies = @() -# ScriptsToProcess = @() -FunctionsToExport = @( - 'Get-Windows10GDPRHtmlReport' -) -CmdletsToExport = @() -VariablesToExport = '*' -AliasesToExport = @() -# DscResourcesToExport = @() -# ModuleList = @() -# FileList = @() -PrivateData = @{ - - PSData = @{ - # Tags = @() - # LicenseUri = '' - # ProjectUri = '' - # IconUri = '' - # ReleaseNotes = '' - } # End of PSData hashtable -} # End of PrivateData hashtable -# HelpInfoURI = '' -# DefaultCommandPrefix = '' -} - diff --git a/Windows10GDPRAudit/Windows10GDPRAudit.psm1 b/Windows10GDPRAudit/Windows10GDPRAudit.psm1 deleted file mode 100644 index d739c8d2..00000000 --- a/Windows10GDPRAudit/Windows10GDPRAudit.psm1 +++ /dev/null @@ -1,4602 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - - -using module ATAPHtmlReport - -function Test-Windows10_GDPR_MS_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableRootAutoUpdate' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '1' - Task = "Turn off Automatic Root Certificates Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '1' - Task = "Turn off Automatic Root Certificates Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '1' - Task = "Turn off Automatic Root Certificates Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '1' - Task = "Turn off Automatic Root Certificates Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_2_1_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowCortana' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '2.1.1' - Task = "Disable Allow Cortana" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '2.1.1' - Task = "Disable Allow Cortana" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '2.1.1' - Task = "Disable Allow Cortana" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '2.1.1' - Task = "Disable Allow Cortana" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_2_1_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowSearchToUseLocation' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '2.1.2' - Task = "Disable Allow search and Cortana to use location" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '2.1.2' - Task = "Disable Allow search and Cortana to use location" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '2.1.2' - Task = "Disable Allow search and Cortana to use location" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '2.1.2' - Task = "Disable Allow search and Cortana to use location" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_2_1_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableWebSearch' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '2.1.3' - Task = "Do not allow web search" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '2.1.3' - Task = "Do not allow web search" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '2.1.3' - Task = "Do not allow web search" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '2.1.3' - Task = "Do not allow web search" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_2_1_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -ErrorAction Stop | Select-Object -ExpandProperty 'ConnectedSearchUseWeb' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '2.1.4' - Task = "Don't search the web or display web results in Search" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '2.1.4' - Task = "Don't search the web or display web results in Search" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '2.1.4' - Task = "Don't search the web or display web results in Search" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '2.1.4' - Task = "Don't search the web or display web results in Search" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_2_1_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -ErrorAction Stop | Select-Object -ExpandProperty 'ConnectedSearchPrivacy' -ErrorAction Stop - if ($regValue -eq '3') { - return [AuditInfo] @{ - Id = '2.1.5' - Task = "Set Set what information is shared in Search to Anonymous info" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '2.1.5' - Task = "Set Set what information is shared in Search to Anonymous info" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '2.1.5' - Task = "Set Set what information is shared in Search to Anonymous info" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '2.1.5' - Task = "Set Set what information is shared in Search to Anonymous info" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_3_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' -ErrorAction Stop | Select-Object -ExpandProperty 'Type' -ErrorAction Stop - if ($regValue -eq 'NoSync') { - return [AuditInfo] @{ - Id = '3.1' - Task = "Prevent Windows from setting the time automatically" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '3.1' - Task = "Prevent Windows from setting the time automatically" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '3.1' - Task = "Prevent Windows from setting the time automatically" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '3.1' - Task = "Prevent Windows from setting the time automatically" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_3_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient' -ErrorAction Stop | Select-Object -ExpandProperty 'Enabled' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '3.2' - Task = "Disable Windows NTP Client" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '3.2' - Task = "Disable Windows NTP Client" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '3.2' - Task = "Disable Windows NTP Client" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '3.2' - Task = "Disable Windows NTP Client" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata' -ErrorAction Stop | Select-Object -ExpandProperty 'PreventDeviceMetadataFromNetwork' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '4' - Task = "Prevent Windows from retrieving device metadata from the Internet" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '4' - Task = "Prevent Windows from retrieving device metadata from the Internet" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '4' - Task = "Prevent Windows from retrieving device metadata from the Internet" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '4' - Task = "Prevent Windows from retrieving device metadata from the Internet" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\FindMyDevice' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowFindMyDevice' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '5' - Task = "Turn off Find My Device" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '5' - Task = "Turn off Find My Device" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '5' - Task = "Turn off Find My Device" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '5' - Task = "Turn off Find My Device" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_6 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -ErrorAction Stop | Select-Object -ExpandProperty 'EnableFontProviders' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '6' - Task = "Disable Font Providers" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '6' - Task = "Disable Font Providers" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '6' - Task = "Disable Font Providers" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '6' - Task = "Disable Font Providers" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_7 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowBuildPreview' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '7' - Task = "Turn off Insider Preview builds for Windows 10" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '7' - Task = "Turn off Insider Preview builds for Windows 10" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '7' - Task = "Turn off Insider Preview builds for Windows 10" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '7' - Task = "Turn off Insider Preview builds for Windows 10" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Suggested Sites' -ErrorAction Stop | Select-Object -ExpandProperty 'Enabled' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.1' - Task = "Disable Suggested Sites" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.1' - Task = "Disable Suggested Sites" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.1' - Task = "Disable Suggested Sites" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.1' - Task = "Disable Suggested Sites" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowServicePoweredQSA' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.2' - Task = "Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.2' - Task = "Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.2' - Task = "Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.2' - Task = "Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete' -ErrorAction Stop | Select-Object -ExpandProperty 'AutoSuggest' -ErrorAction Stop - if ($regValue -eq 'No') { - return [AuditInfo] @{ - Id = '8.0.3' - Task = "Turn off the auto-complete feature for web addresses" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.3' - Task = "Turn off the auto-complete feature for web addresses" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.3' - Task = "Turn off the auto-complete feature for web addresses" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.3' - Task = "Turn off the auto-complete feature for web addresses" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Geolocation' -ErrorAction Stop | Select-Object -ExpandProperty 'PolicyDisableGeolocation' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '8.0.4' - Task = "Turn off browser geolocation" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.4' - Task = "Turn off browser geolocation" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.4' - Task = "Turn off browser geolocation" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.4' - Task = "Turn off browser geolocation" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter' -ErrorAction Stop | Select-Object -ExpandProperty 'EnabledV9' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.5' - Task = "Prevent managing SmartScreen filter" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.5' - Task = "Prevent managing SmartScreen filter" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.5' - Task = "Prevent managing SmartScreen filter" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.5' - Task = "Prevent managing SmartScreen filter" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_6 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableSiteListEditing' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '8.0.6' - Task = "Turn off Compatibility View." - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.6' - Task = "Turn off Compatibility View." - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.6' - Task = "Turn off Compatibility View." - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.6' - Task = "Turn off Compatibility View." - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_7 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\FlipAhead' -ErrorAction Stop | Select-Object -ExpandProperty 'Enabled' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.7' - Task = "Turn off the flip ahead with page prediction feature" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.7' - Task = "Turn off the flip ahead with page prediction feature" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.7' - Task = "Turn off the flip ahead with page prediction feature" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.7' - Task = "Turn off the flip ahead with page prediction feature" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_8 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' -ErrorAction Stop | Select-Object -ExpandProperty 'BackgroundSyncStatus' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.8' - Task = "Turn off background synchronization for feeds and Web Slices" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.8' - Task = "Turn off background synchronization for feeds and Web Slices" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.8' - Task = "Turn off background synchronization for feeds and Web Slices" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.8' - Task = "Turn off background synchronization for feeds and Web Slices" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_9 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowOnlineTips' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.9' - Task = "Disable Allow Online Tips" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.9' - Task = "Disable Allow Online Tips" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.9' - Task = "Disable Allow Online Tips" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.9' - Task = "Disable Allow Online Tips" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_10 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main' -ErrorAction Stop | Select-Object -ExpandProperty 'Start Page' -ErrorAction Stop - if ($regValue -eq 'about:blank') { - return [AuditInfo] @{ - Id = '8.0.10' - Task = "Set home page blank" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.10' - Task = "Set home page blank" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.10' - Task = "Set home page blank" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.10' - Task = "Set home page blank" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_11 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel' -ErrorAction Stop | Select-Object -ExpandProperty 'HomePage' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '8.0.11' - Task = "Disable changing home page settings" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.11' - Task = "Disable changing home page settings" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.11' - Task = "Disable changing home page settings" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.11' - Task = "Disable changing home page settings" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_12 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableFirstRunCustomize and set it to Go directly to home page' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '8.0.12' - Task = "Prevent running First Run wizard" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.12' - Task = "Prevent running First Run wizard" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.12' - Task = "Prevent running First Run wizard" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.12' - Task = "Prevent running First Run wizard" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_0_13 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Policies\Microsoft\Internet Explorer\TabbedBrowsing' -ErrorAction Stop | Select-Object -ExpandProperty 'NewTabPageShow' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.0.13' - Task = "Specify default behavior for a new tab" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.0.13' - Task = "Specify default behavior for a new tab" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.0.13' - Task = "Specify default behavior for a new tab" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.0.13' - Task = "Specify default behavior for a new tab" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_8_1 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Internet Explorer\VersionManager' -ErrorAction Stop | Select-Object -ExpandProperty 'DownloadVersionList' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '8.1' - Task = "Turn off Automatic download of the ActiveX VersionList" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '8.1' - Task = "Turn off Automatic download of the ActiveX VersionList" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '8.1' - Task = "Turn off Automatic download of the ActiveX VersionList" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '8.1' - Task = "Turn off Automatic download of the ActiveX VersionList" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_9 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\LicenseManager' -ErrorAction Stop | Select-Object -ExpandProperty 'Start' -ErrorAction Stop - if ($regValue -eq '4') { - return [AuditInfo] @{ - Id = '9' - Task = "Turn off License Manager related traffic" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '9' - Task = "Turn off License Manager related traffic" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '9' - Task = "Turn off License Manager related traffic" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '9' - Task = "Turn off License Manager related traffic" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_10 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' -ErrorAction Stop | Select-Object -ExpandProperty 'NoCloudApplicationNotification' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '10' - Task = "Turn Off notifications network usage" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '10' - Task = "Turn Off notifications network usage" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '10' - Task = "Turn Off notifications network usage" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '10' - Task = "Turn Off notifications network usage" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_11 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Mail' -ErrorAction Stop | Select-Object -ExpandProperty 'ManualLaunchAllowed' -ErrorAction Stop - if ($regValue -eq '4') { - return [AuditInfo] @{ - Id = '11' - Task = "Turn off mail synchronization for Microsoft Accounts that are configured on the device" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '11' - Task = "Turn off mail synchronization for Microsoft Accounts that are configured on the device" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '11' - Task = "Turn off mail synchronization for Microsoft Accounts that are configured on the device" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '11' - Task = "Turn off mail synchronization for Microsoft Accounts that are configured on the device" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_12 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\wlidsvc' -ErrorAction Stop | Select-Object -ExpandProperty 'Start' -ErrorAction Stop - if ($regValue -eq '4') { - return [AuditInfo] @{ - Id = '12' - Task = "Disable the Microsoft Account Sign-In Assistant" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '12' - Task = "Disable the Microsoft Account Sign-In Assistant" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '12' - Task = "Disable the Microsoft Account Sign-In Assistant" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '12' - Task = "Disable the Microsoft Account Sign-In Assistant" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' -ErrorAction Stop | Select-Object -ExpandProperty 'ShowOneBox' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '13.1' - Task = "Disable Allow Address Bar drop-down list suggestions" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.1' - Task = "Disable Allow Address Bar drop-down list suggestions" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.1' - Task = "Disable Allow Address Bar drop-down list suggestions" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.1' - Task = "Disable Allow Address Bar drop-down list suggestions" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BooksLibrary' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowConfigurationUpdateForBooksLibrary' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '13.2' - Task = "Disable Allow configuration updates for the Books Library" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.2' - Task = "Disable Allow configuration updates for the Books Library" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.2' - Task = "Disable Allow configuration updates for the Books Library" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.2' - Task = "Disable Allow configuration updates for the Books Library" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' -ErrorAction Stop | Select-Object -ExpandProperty 'Use FormSuggest' -ErrorAction Stop - if ($regValue -eq 'No') { - return [AuditInfo] @{ - Id = '13.3' - Task = "Disable Configure Autofill" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.3' - Task = "Disable Configure Autofill" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.3' - Task = "Disable Configure Autofill" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.3' - Task = "Disable Configure Autofill" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' -ErrorAction Stop | Select-Object -ExpandProperty 'DoNotTrack' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '13.4' - Task = "Configure Do Not Track" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.4' - Task = "Configure Do Not Track" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.4' - Task = "Configure Do Not Track" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.4' - Task = "Configure Do Not Track" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' -ErrorAction Stop | Select-Object -ExpandProperty 'FormSuggest Passwords' -ErrorAction Stop - if ($regValue -eq 'No') { - return [AuditInfo] @{ - Id = '13.5' - Task = "Disable Configure Password Manager" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.5' - Task = "Disable Configure Password Manager" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.5' - Task = "Disable Configure Password Manager" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.5' - Task = "Disable Configure Password Manager" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_6 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' -ErrorAction Stop | Select-Object -ExpandProperty 'ShowSearchSuggestionsGlobal' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '13.6' - Task = "Disable Configure search suggestions in Address Bar" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.6' - Task = "Disable Configure search suggestions in Address Bar" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.6' - Task = "Disable Configure search suggestions in Address Bar" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.6' - Task = "Disable Configure search suggestions in Address Bar" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_7 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -ErrorAction Stop | Select-Object -ExpandProperty 'EnabledV9' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '13.7' - Task = "Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.7' - Task = "Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.7' - Task = "Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.7' - Task = "Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_8 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowWebContentOnNewTabPage' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '13.8' - Task = "Disable Allow web content on New Tab page" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.8' - Task = "Disable Allow web content on New Tab page" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.8' - Task = "Disable Allow web content on New Tab page" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.8' - Task = "Disable Allow web content on New Tab page" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_9 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings' -ErrorAction Stop | Select-Object -ExpandProperty 'ProvisionedHomePages' -ErrorAction Stop - if ($regValue -eq 'about:blank') { - return [AuditInfo] @{ - Id = '13.9' - Task = "Configure corporate Home pages" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.9' - Task = "Configure corporate Home pages" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.9' - Task = "Configure corporate Home pages" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.9' - Task = "Configure corporate Home pages" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_10 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' -ErrorAction Stop | Select-Object -ExpandProperty 'PreventFirstRunPage' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '13.10' - Task = "Prevent the First Run webpage from opening on Microsoft Edge" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.10' - Task = "Prevent the First Run webpage from opening on Microsoft Edge" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.10' - Task = "Prevent the First Run webpage from opening on Microsoft Edge" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.10' - Task = "Prevent the First Run webpage from opening on Microsoft Edge" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_13_11 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BrowserEmulation' -ErrorAction Stop | Select-Object -ExpandProperty 'MSCompatibilityMode' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '13.11' - Task = "Disable Compatibility View." - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '13.11' - Task = "Disable Compatibility View." - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '13.11' - Task = "Disable Compatibility View." - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '13.11' - Task = "Disable Compatibility View." - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_14 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator' -ErrorAction Stop | Select-Object -ExpandProperty 'NoActiveProbe' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '14' - Task = "Turn off Windows Network Connectivity Status Indicator active tests" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '14' - Task = "Turn off Windows Network Connectivity Status Indicator active tests" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '14' - Task = "Turn off Windows Network Connectivity Status Indicator active tests" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '14' - Task = "Turn off Windows Network Connectivity Status Indicator active tests" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_15_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Maps' -ErrorAction Stop | Select-Object -ExpandProperty 'AutoDownloadAndUpdateMapData' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '15.1' - Task = "Turn off Automatic Download and Update of Map Data" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '15.1' - Task = "Turn off Automatic Download and Update of Map Data" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '15.1' - Task = "Turn off Automatic Download and Update of Map Data" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '15.1' - Task = "Turn off Automatic Download and Update of Map Data" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_15_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Maps' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowUntriggeredNetworkTrafficOnSettingsPage' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '15.2' - Task = "Turn off unsolicited network traffic on the Offline Maps settings page" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '15.2' - Task = "Turn off unsolicited network traffic on the Offline Maps settings page" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '15.2' - Task = "Turn off unsolicited network traffic on the Offline Maps settings page" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '15.2' - Task = "Turn off unsolicited network traffic on the Offline Maps settings page" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_16_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableFileSyncNGSC' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '16.1' - Task = "Prevent the usage of OneDrive for file storage" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '16.1' - Task = "Prevent the usage of OneDrive for file storage" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '16.1' - Task = "Prevent the usage of OneDrive for file storage" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '16.1' - Task = "Prevent the usage of OneDrive for file storage" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_16_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\OneDrive' -ErrorAction Stop | Select-Object -ExpandProperty 'PreventNetworkTrafficPreUserSignIn' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '16.2' - Task = "Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '16.2' - Task = "Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '16.2' - Task = "Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '16.2' - Task = "Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_1_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo' -ErrorAction Stop | Select-Object -ExpandProperty 'Enabled' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.1.1' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.1.1' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.1.1' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.1.1' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_1_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' -ErrorAction Stop | Select-Object -ExpandProperty 'DisabledByGroupPolicy' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.1.2' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.1.2' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.1.2' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.1.2' - Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_1_3 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\Control Panel\International\User Profile' -ErrorAction Stop | Select-Object -ExpandProperty 'HttpAcceptLanguageOptOut' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.1.3' - Task = "Turn off Let websites provide locally relevant content by accessing my language list" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.1.3' - Task = "Turn off Let websites provide locally relevant content by accessing my language list" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.1.3' - Task = "Turn off Let websites provide locally relevant content by accessing my language list" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.1.3' - Task = "Turn off Let websites provide locally relevant content by accessing my language list" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_1_4 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced' -ErrorAction Stop | Select-Object -ExpandProperty 'Start_TrackProgs' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.1.4' - Task = "Turn off Let Windows track app launches to improve Start and search results" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.1.4' - Task = "Turn off Let Windows track app launches to improve Start and search results" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.1.4' - Task = "Turn off Let Windows track app launches to improve Start and search results" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.1.4' - Task = "Turn off Let Windows track app launches to improve Start and search results" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_2_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessLocation' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.2.1' - Task = "Turn off Location for this device" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.2.1' - Task = "Turn off Location for this device" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.2.1' - Task = "Turn off Location for this device" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.2.1' - Task = "Turn off Location for this device" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_2_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\LocationAndSensors' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableLocation' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.2.2' - Task = "Turn off Location" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.2.2' - Task = "Turn off Location" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.2.2' - Task = "Turn off Location" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.2.2' - Task = "Turn off Location" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_3_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessCamera' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.3.1' - Task = "Turn off Let apps use my camera" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.3.1' - Task = "Turn off Let apps use my camera" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.3.1' - Task = "Turn off Let apps use my camera" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.3.1' - Task = "Turn off Let apps use my camera" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_4_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessMicrophone' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.4.1' - Task = "Turn off Let apps use my microphone" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.4.1' - Task = "Turn off Let apps use my microphone" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.4.1' - Task = "Turn off Let apps use my microphone" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.4.1' - Task = "Turn off Let apps use my microphone" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_5_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' -ErrorAction Stop | Select-Object -ExpandProperty 'NoCloudApplicationNotification' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.5.1' - Task = "Turn off notifications network usage" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.5.1' - Task = "Turn off notifications network usage" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.5.1' - Task = "Turn off notifications network usage" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.5.1' - Task = "Turn off notifications network usage" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_5_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessNotifications' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.5.2' - Task = "Turn off Let apps access my notifications" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.5.2' - Task = "Turn off Let apps access my notifications" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.5.2' - Task = "Turn off Let apps access my notifications" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.5.2' - Task = "Turn off Let apps access my notifications" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_6_1 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'HasAccepted' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.6.1' - Task = "Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.6.1' - Task = "Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.6.1' - Task = "Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.6.1' - Task = "Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_6_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Speech' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowSpeechModelUpdate' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.6.2' - Task = "Turn off updates to the speech recognition and speech synthesis models" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.6.2' - Task = "Turn off updates to the speech recognition and speech synthesis models" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.6.2' - Task = "Turn off updates to the speech recognition and speech synthesis models" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.6.2' - Task = "Turn off updates to the speech recognition and speech synthesis models" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_7_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessAccountInfo' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.7.1' - Task = "Turn off Let apps access my name, picture, and other account info" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.7.1' - Task = "Turn off Let apps access my name, picture, and other account info" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.7.1' - Task = "Turn off Let apps access my name, picture, and other account info" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.7.1' - Task = "Turn off Let apps access my name, picture, and other account info" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_8 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessContacts' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.8' - Task = "Turn off Choose apps that can access contacts" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.8' - Task = "Turn off Choose apps that can access contacts" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.8' - Task = "Turn off Choose apps that can access contacts" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.8' - Task = "Turn off Choose apps that can access contacts" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_9_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessCalendar' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.9.1' - Task = "Turn off Let apps access my calendar" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.9.1' - Task = "Turn off Let apps access my calendar" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.9.1' - Task = "Turn off Let apps access my calendar" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.9.1' - Task = "Turn off Let apps access my calendar" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_10 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessCallHistory' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.10' - Task = "Turn off Let apps access my call history" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.10' - Task = "Turn off Let apps access my call history" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.10' - Task = "Turn off Let apps access my call history" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.10' - Task = "Turn off Let apps access my call history" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_11 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessEmail' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.11' - Task = "Turn off Let apps access and send email" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.11' - Task = "Turn off Let apps access and send email" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.11' - Task = "Turn off Let apps access and send email" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.11' - Task = "Turn off Let apps access and send email" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_12_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessMessaging' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.12.1' - Task = "Turn off Let apps read or send messages (text or MMS)" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.12.1' - Task = "Turn off Let apps read or send messages (text or MMS)" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.12.1' - Task = "Turn off Let apps read or send messages (text or MMS)" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.12.1' - Task = "Turn off Let apps read or send messages (text or MMS)" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_12_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Messaging' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowMessageSync' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.12.3' - Task = "Turn off Message Sync" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.12.3' - Task = "Turn off Message Sync" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.12.3' - Task = "Turn off Message Sync" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.12.3' - Task = "Turn off Message Sync" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_13_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessPhone' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.13.1' - Task = "Turn off Let apps make phone calls" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.13.1' - Task = "Turn off Let apps make phone calls" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.13.1' - Task = "Turn off Let apps make phone calls" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.13.1' - Task = "Turn off Let apps make phone calls" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_14_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessRadios' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.14.1' - Task = "Turn off Let apps control radios" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.14.1' - Task = "Turn off Let apps control radios" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.14.1' - Task = "Turn off Let apps control radios" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.14.1' - Task = "Turn off Let apps control radios" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_15_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsSyncWithDevices' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.15.1' - Task = "Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.15.1' - Task = "Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.15.1' - Task = "Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.15.1' - Task = "Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_15_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessTrustedDevices' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.15.2' - Task = "Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.15.2' - Task = "Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.15.2' - Task = "Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.15.2' - Task = "Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_16_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\DataCollection' -ErrorAction Stop | Select-Object -ExpandProperty 'DoNotShowFeedbackNotifications' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.16.1' - Task = "Do not show feedback notificationsk" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.16.1' - Task = "Do not show feedback notificationsk" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.16.1' - Task = "Do not show feedback notificationsk" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.16.1' - Task = "Do not show feedback notificationsk" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_16_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\DataCollection' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowTelemetry' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.16.2' - Task = "Set Send your device data to Microsoft to Basic" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.16.2' - Task = "Set Send your device data to Microsoft to Basic" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.16.2' - Task = "Set Send your device data to Microsoft to Basic" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.16.2' - Task = "Set Send your device data to Microsoft to Basic" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_16_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableWindowsConsumerFeatures' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.16.3' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.16.3' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.16.3' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.16.3' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_16_4 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableTailoredExperiencesWithDiagnosticData' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.16.4' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.16.4' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.16.4' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.16.4' - Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_17 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsRunInBackground' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.17' - Task = "Turn off Let apps run in the background" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.17' - Task = "Turn off Let apps run in the background" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.17' - Task = "Turn off Let apps run in the background" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.17' - Task = "Turn off Let apps run in the background" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_18 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessMotion' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.18' - Task = "Turn off Let Windows and your apps use your motion data and collect motion history" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.18' - Task = "Turn off Let Windows and your apps use your motion data and collect motion history" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.18' - Task = "Turn off Let Windows and your apps use your motion data and collect motion history" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.18' - Task = "Turn off Let Windows and your apps use your motion data and collect motion history" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_19 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsAccessTasks' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.19' - Task = "Set Let Windows apps access Tasks to Force Deny" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.19' - Task = "Set Let Windows apps access Tasks to Force Deny" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.19' - Task = "Set Let Windows apps access Tasks to Force Deny" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.19' - Task = "Set Let Windows apps access Tasks to Force Deny" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_20 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsGetDiagnosticInfo' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '18.20' - Task = "Let Windows apps access diagnostic information about other apps" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.20' - Task = "Let Windows apps access diagnostic information about other apps" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.20' - Task = "Let Windows apps access diagnostic information about other apps" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.20' - Task = "Let Windows apps access diagnostic information about other apps" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_21 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\InputPersonalization' -ErrorAction Stop | Select-Object -ExpandProperty 'RestrictImplicitTextCollection' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '18.21' - Task = "Turn off Inking & Typing data collection" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.21' - Task = "Turn off Inking & Typing data collection" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.21' - Task = "Turn off Inking & Typing data collection" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.21' - Task = "Turn off Inking & Typing data collection" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_22_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\System' -ErrorAction Stop | Select-Object -ExpandProperty 'EnableActivityFeed' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.22.1' - Task = "Disable Activity Feed" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.22.1' - Task = "Disable Activity Feed" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.22.1' - Task = "Disable Activity Feed" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.22.1' - Task = "Disable Activity Feed" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_22_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\System' -ErrorAction Stop | Select-Object -ExpandProperty 'PublishUserActivities' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.22.2' - Task = "Disable Allow publishing of User Activities" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.22.2' - Task = "Disable Allow publishing of User Activities" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.22.2' - Task = "Disable Allow publishing of User Activities" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.22.2' - Task = "Disable Allow publishing of User Activities" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_22_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\System' -ErrorAction Stop | Select-Object -ExpandProperty 'UploadUserActivities' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.22.3' - Task = "Disable Allow upload of User Activities" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.22.3' - Task = "Disable Allow upload of User Activities" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.22.3' - Task = "Disable Allow upload of User Activities" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.22.3' - Task = "Disable Allow upload of User Activities" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_23_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'LetAppsActivateWithVoice' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.23.1' - Task = "Disable Let Windows apps activate with voice" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.23.1' - Task = "Disable Let Windows apps activate with voice" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.23.1' - Task = "Disable Let Windows apps activate with voice" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.23.1' - Task = "Disable Let Windows apps activate with voice" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_18_23_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy' -ErrorAction Stop | Select-Object -ExpandProperty 'PublishUserActivities' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '18.23.2' - Task = "Disable Allow publishing of User Activities" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '18.23.2' - Task = "Disable Allow publishing of User Activities" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '18.23.2' - Task = "Disable Allow publishing of User Activities" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '18.23.2' - Task = "Disable Allow publishing of User Activities" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_19 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' -ErrorAction Stop | Select-Object -ExpandProperty 'NoGenTicket' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '19' - Task = "Turn off KMS Client Online AVS Validation" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '19' - Task = "Turn off KMS Client Online AVS Validation" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '19' - Task = "Turn off KMS Client Online AVS Validation" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '19' - Task = "Turn off KMS Client Online AVS Validation" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_20 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\StorageHealth' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowDiskHealthModelUpdates' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '20' - Task = "Disable Allow downloading updates to the Disk Failure Prediction Model" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '20' - Task = "Disable Allow downloading updates to the Disk Failure Prediction Model" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '20' - Task = "Disable Allow downloading updates to the Disk Failure Prediction Model" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '20' - Task = "Disable Allow downloading updates to the Disk Failure Prediction Model" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_21_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\SettingSync' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableSettingSync' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '21.1' - Task = "Enable Do not sync" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '21.1' - Task = "Enable Do not sync" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '21.1' - Task = "Enable Do not sync" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '21.1' - Task = "Enable Do not sync" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_21_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\SettingSync' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableSettingSyncUserOverride' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '21.2' - Task = "Disable Allow users to turn syncing on" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '21.2' - Task = "Disable Allow users to turn syncing on" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '21.2' - Task = "Disable Allow users to turn syncing on" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '21.2' - Task = "Disable Allow users to turn syncing on" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_21_3 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Messaging' -ErrorAction Stop | Select-Object -ExpandProperty 'CloudServiceSyncEnabled' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '21.3' - Task = "Turn off Messaging cloud sync" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '21.3' - Task = "Turn off Messaging cloud sync" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '21.3' - Task = "Turn off Messaging cloud sync" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '21.3' - Task = "Turn off Messaging cloud sync" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_22 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition' -ErrorAction Stop | Select-Object -ExpandProperty 'Teredo_State' -ErrorAction Stop - if ($regValue -eq 'Disabled') { - return [AuditInfo] @{ - Id = '22' - Task = "Set Teredo State to disabled state" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '22' - Task = "Set Teredo State to disabled state" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '22' - Task = "Set Teredo State to disabled state" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '22' - Task = "Set Teredo State to disabled state" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_23 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' -ErrorAction Stop | Select-Object -ExpandProperty 'AutoConnectAllowedOEM' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '23' - Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '23' - Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '23' - Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '23' - Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_0_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet' -ErrorAction Stop | Select-Object -ExpandProperty 'SpyNetReporting' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '24.0.1' - Task = "Disable Join Microsoft MAPS" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.0.1' - Task = "Disable Join Microsoft MAPS" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.0.1' - Task = "Disable Join Microsoft MAPS" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.0.1' - Task = "Disable Join Microsoft MAPS" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_0_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet' -ErrorAction Stop | Select-Object -ExpandProperty 'SubmitSamplesConsent' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '24.0.3' - Task = "Set Send file samples when further analysis is required to Never Send" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.0.3' - Task = "Set Send file samples when further analysis is required to Never Send" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.0.3' - Task = "Set Send file samples when further analysis is required to Never Send" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.0.3' - Task = "Set Send file samples when further analysis is required to Never Send" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_0_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates' -ErrorAction Stop | Select-Object -ExpandProperty 'FallbackOrder' -ErrorAction Stop - if ($regValue -eq 'FileShares') { - return [AuditInfo] @{ - Id = '24.0.4' - Task = "Set Define the order of sources for downloading definition updates to FileShares" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.0.4' - Task = "Set Define the order of sources for downloading definition updates to FileShares" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.0.4' - Task = "Set Define the order of sources for downloading definition updates to FileShares" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.0.4' - Task = "Set Define the order of sources for downloading definition updates to FileShares" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_0_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates' -ErrorAction Stop | Select-Object -ExpandProperty 'DefinitionUpdateFileSharesSources' -ErrorAction Stop - if ($null -eq $regValue) { - return [AuditInfo] @{ - Id = '24.0.5' - Task = "Define Define file shares for downloading definition updates to Nothing" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.0.5' - Task = "Define Define file shares for downloading definition updates to Nothing" - Message = 'Registry value found' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.0.5' - Task = "Define Define file shares for downloading definition updates to Nothing" - Message = 'Compliant. Registry key or value not found' - Audit = [AuditStatus]::True - } - } - - return [AuditInfo] @{ - Id = '24.0.5' - Task = "Define Define file shares for downloading definition updates to Nothing" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_0_6 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\MRT' -ErrorAction Stop | Select-Object -ExpandProperty 'DontReportInfectionInformation' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '24.0.6' - Task = "Turn off Malicious Software Reporting Tool diagnostic data" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.0.6' - Task = "Turn off Malicious Software Reporting Tool diagnostic data" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.0.6' - Task = "Turn off Malicious Software Reporting Tool diagnostic data" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.0.6' - Task = "Turn off Malicious Software Reporting Tool diagnostic data" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_0_7 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableEnhancedNotifications' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '24.0.7' - Task = "Turn off Enhanced Notifications as follows" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.0.7' - Task = "Turn off Enhanced Notifications as follows" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.0.7' - Task = "Turn off Enhanced Notifications as follows" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.0.7' - Task = "Turn off Enhanced Notifications as follows" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_1_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\System' -ErrorAction Stop | Select-Object -ExpandProperty 'EnableSmartScreen' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '24.1.1' - Task = "Disable Windows Defender Smartscreen" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.1.1' - Task = "Disable Windows Defender Smartscreen" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.1.1' - Task = "Disable Windows Defender Smartscreen" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.1.1' - Task = "Disable Windows Defender Smartscreen" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_1_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen' -ErrorAction Stop | Select-Object -ExpandProperty 'ConfigureAppInstallControlEnabled' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '24.1.2' - Task = "Disable Windows Defender Smartscreen" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.1.2' - Task = "Disable Windows Defender Smartscreen" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.1.2' - Task = "Disable Windows Defender Smartscreen" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.1.2' - Task = "Disable Windows Defender Smartscreen" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_24_1_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen' -ErrorAction Stop | Select-Object -ExpandProperty 'ConfigureAppInstallControl' -ErrorAction Stop - if ($regValue -eq 'Anywhere') { - return [AuditInfo] @{ - Id = '24.1.3' - Task = "Disable Windows Defender Smartscreen" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '24.1.3' - Task = "Disable Windows Defender Smartscreen" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '24.1.3' - Task = "Disable Windows Defender Smartscreen" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '24.1.3' - Task = "Disable Windows Defender Smartscreen" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_25_1 { - try { - $regValue = Get-ItemProperty -Path 'HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableWindowsSpotlightFeatures' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '25.1' - Task = "Turn off all Windows spotlight features" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '25.1' - Task = "Turn off all Windows spotlight features" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '25.1' - Task = "Turn off all Windows spotlight features" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '25.1' - Task = "Turn off all Windows spotlight features" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_25_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -ErrorAction Stop | Select-Object -ExpandProperty 'NoLockScreen' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '25.2' - Task = "Do not display the Lock Screen" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '25.2' - Task = "Do not display the Lock Screen" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '25.2' - Task = "Do not display the Lock Screen" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '25.2' - Task = "Do not display the Lock Screen" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_25_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -ErrorAction Stop | Select-Object -ExpandProperty 'LockScreenImage' -ErrorAction Stop - if ($regValue -eq 'C:\windows\web\screen\lockscreen.jpg') { - return [AuditInfo] @{ - Id = '25.3' - Task = "Force a specific default lock screen image and logon image" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '25.3' - Task = "Force a specific default lock screen image and logon image" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '25.3' - Task = "Force a specific default lock screen image and logon image" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '25.3' - Task = "Force a specific default lock screen image and logon image" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_25_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -ErrorAction Stop | Select-Object -ExpandProperty 'LockScreenOverlaysDisabled' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '25.4' - Task = "Turn off fun facts, tips, tricks, and more on lock screen" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '25.4' - Task = "Turn off fun facts, tips, tricks, and more on lock screen" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '25.4' - Task = "Turn off fun facts, tips, tricks, and more on lock screen" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '25.4' - Task = "Turn off fun facts, tips, tricks, and more on lock screen" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_25_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableSoftLanding' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '25.5' - Task = "Do not show Windows tips" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '25.5' - Task = "Do not show Windows tips" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '25.5' - Task = "Do not show Windows tips" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '25.5' - Task = "Do not show Windows tips" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_25_6 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableWindowsConsumerFeatures' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '25.6' - Task = "Turn off Microsoft consumer experiences" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '25.6' - Task = "Turn off Microsoft consumer experiences" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '25.6' - Task = "Turn off Microsoft consumer experiences" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '25.6' - Task = "Turn off Microsoft consumer experiences" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_26_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableStoreApps' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '26.1' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '26.1' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '26.1' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '26.1' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_26_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore' -ErrorAction Stop | Select-Object -ExpandProperty 'AutoDownload' -ErrorAction Stop - if ($regValue -eq '2') { - return [AuditInfo] @{ - Id = '26.2' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '26.2' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '26.2' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '26.2' - Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_27 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -ErrorAction Stop | Select-Object -ExpandProperty 'EnableAppUriHandlers' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '27' - Task = "Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '27' - Task = "Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '27' - Task = "Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '27' - Task = "Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_28_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' -ErrorAction Stop | Select-Object -ExpandProperty 'DODownloadMode' -ErrorAction Stop - if ($regValue -eq '100') { - return [AuditInfo] @{ - Id = '28.3' - Task = "Enable the Download Mode and set the Download Mode to `"Bypass`" to prevent traffic" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '28.3' - Task = "Enable the Download Mode and set the Download Mode to `"Bypass`" to prevent traffic" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '28.3' - Task = "Enable the Download Mode and set the Download Mode to `"Bypass`" to prevent traffic" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '28.3' - Task = "Enable the Download Mode and set the Download Mode to `"Bypass`" to prevent traffic" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_29_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -ErrorAction Stop | Select-Object -ExpandProperty 'DoNotConnectToWindowsUpdateInternetLocations' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '29.1' - Task = "Turn off Windows Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '29.1' - Task = "Turn off Windows Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '29.1' - Task = "Turn off Windows Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '29.1' - Task = "Turn off Windows Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_29_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -ErrorAction Stop | Select-Object -ExpandProperty 'DisableWindowsUpdateAccess' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '29.2' - Task = "Turn off Windows Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '29.2' - Task = "Turn off Windows Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '29.2' - Task = "Turn off Windows Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '29.2' - Task = "Turn off Windows Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_29_3 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -ErrorAction Stop | Select-Object -ExpandProperty 'WUServer' -ErrorAction Stop - if ($regValue -eq '') { - return [AuditInfo] @{ - Id = '29.3' - Task = "Turn off Windows Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '29.3' - Task = "Turn off Windows Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '29.3' - Task = "Turn off Windows Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '29.3' - Task = "Turn off Windows Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_29_4 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -ErrorAction Stop | Select-Object -ExpandProperty 'WUStatusServer' -ErrorAction Stop - if ($regValue -eq '') { - return [AuditInfo] @{ - Id = '29.4' - Task = "Turn off Windows Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '29.4' - Task = "Turn off Windows Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '29.4' - Task = "Turn off Windows Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '29.4' - Task = "Turn off Windows Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_29_5 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -ErrorAction Stop | Select-Object -ExpandProperty 'UpdateServiceUrlAlternate' -ErrorAction Stop - if ($regValue -eq '') { - return [AuditInfo] @{ - Id = '29.5' - Task = "Turn off Windows Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '29.5' - Task = "Turn off Windows Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '29.5' - Task = "Turn off Windows Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '29.5' - Task = "Turn off Windows Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_MS_29_6 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU' -ErrorAction Stop | Select-Object -ExpandProperty 'UseWUServer' -ErrorAction Stop - if ($regValue -eq '1') { - return [AuditInfo] @{ - Id = '29.6' - Task = "Turn off Windows Update" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '29.6' - Task = "Turn off Windows Update" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '29.6' - Task = "Turn off Windows Update" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '29.6' - Task = "Turn off Windows Update" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_BSI_3_1_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection' -ErrorAction Stop | Select-Object -ExpandProperty 'AllowTelemetry' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '3.1.1' - Task = "Configuration of the lowest telemetry-level" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '3.1.1' - Task = "Configuration of the lowest telemetry-level" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '3.1.1' - Task = "Configuration of the lowest telemetry-level" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '3.1.1' - Task = "Configuration of the lowest telemetry-level" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_BSI_3_1_2_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\DiagTrack' -ErrorAction Stop | Select-Object -ExpandProperty 'Start' -ErrorAction Stop - if ($regValue -eq '4') { - return [AuditInfo] @{ - Id = '3.1.2.1' - Task = "Deactivation of the telemetry-service and etw-sessions - DiagTrack" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '3.1.2.1' - Task = "Deactivation of the telemetry-service and etw-sessions - DiagTrack" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '3.1.2.1' - Task = "Deactivation of the telemetry-service and etw-sessions - DiagTrack" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '3.1.2.1' - Task = "Deactivation of the telemetry-service and etw-sessions - DiagTrack" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_BSI_3_1_2_2 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener' -ErrorAction Stop | Select-Object -ExpandProperty 'Start' -ErrorAction Stop - if ($regValue -eq '0') { - return [AuditInfo] @{ - Id = '3.1.2.2' - Task = "Deactivation of the telemetry-service and etw-sessions - Autologger-Diatrack-Listener" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '3.1.2.2' - Task = "Deactivation of the telemetry-service and etw-sessions - Autologger-Diatrack-Listener" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '3.1.2.2' - Task = "Deactivation of the telemetry-service and etw-sessions - Autologger-Diatrack-Listener" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '3.1.2.2' - Task = "Deactivation of the telemetry-service and etw-sessions - Autologger-Diatrack-Listener" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Test-Windows10_GDPR_BSI_3_1_3_1 { - try { - $regValue = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv' -ErrorAction Stop | Select-Object -ExpandProperty 'Start' -ErrorAction Stop - if ($regValue -eq '4') { - return [AuditInfo] @{ - Id = '3.1.3.1' - Task = "Deactivation of telemetry according to Microsoft recommendation" - Message = 'Compliant' - Audit = [AuditStatus]::True - } - } - else { - return [AuditInfo] @{ - Id = '3.1.3.1' - Task = "Deactivation of telemetry according to Microsoft recommendation" - Message = 'Registry value is wrong' - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { - return [AuditInfo] @{ - Id = '3.1.3.1' - Task = "Deactivation of telemetry according to Microsoft recommendation" - Message = 'Registry key or value not found' - Audit = [AuditStatus]::False - } - } - - return [AuditInfo] @{ - Id = '3.1.3.1' - Task = "Deactivation of telemetry according to Microsoft recommendation" - Message = 'An error occured.' - Audit = [AuditStatus]::False - } -} - -function Get-Windows10GDPRHtmlReport { - <# - .Synopsis - Generates an audit report in an html file. - .Description - The Get-Windows10GDPRHtmlReport cmdlet collects by default data from the current machine to generate an audit report. - .Parameter Path - Specifies the relative path to the file in which the report will be stored. - .Example - C:\PS> Get-Windows10GDPRHtmlReport -Path "MyReport.html" - #> - - [CmdletBinding()] - param ( - [string] $Path = "$($env:HOMEPATH)\Documents\$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode - ) - - $args = @{ - Path = $Path - Title = 'Windows 10 GDPR Audit Report' - ModuleName = 'Windows10GDPRAudit' - BasedOn = 'GDPR settings by Microsoft', 'Bundesamt für Sicherheit in der Informationstechnik (BSI)' - Sections = @( - @{ - Title = 'GDPR settings by Microsoft' - AuditInfos = @( - Test-Windows10_GDPR_MS_1 - Test-Windows10_GDPR_MS_2_1_1 - Test-Windows10_GDPR_MS_2_1_2 - Test-Windows10_GDPR_MS_2_1_3 - Test-Windows10_GDPR_MS_2_1_4 - Test-Windows10_GDPR_MS_2_1_5 - Test-Windows10_GDPR_MS_3_1 - Test-Windows10_GDPR_MS_3_2 - Test-Windows10_GDPR_MS_4 - Test-Windows10_GDPR_MS_5 - Test-Windows10_GDPR_MS_6 - Test-Windows10_GDPR_MS_7 - Test-Windows10_GDPR_MS_8_0_1 - Test-Windows10_GDPR_MS_8_0_2 - Test-Windows10_GDPR_MS_8_0_3 - Test-Windows10_GDPR_MS_8_0_4 - Test-Windows10_GDPR_MS_8_0_5 - Test-Windows10_GDPR_MS_8_0_6 - Test-Windows10_GDPR_MS_8_0_7 - Test-Windows10_GDPR_MS_8_0_8 - Test-Windows10_GDPR_MS_8_0_9 - Test-Windows10_GDPR_MS_8_0_10 - Test-Windows10_GDPR_MS_8_0_11 - Test-Windows10_GDPR_MS_8_0_12 - Test-Windows10_GDPR_MS_8_0_13 - Test-Windows10_GDPR_MS_8_1 - Test-Windows10_GDPR_MS_9 - Test-Windows10_GDPR_MS_10 - Test-Windows10_GDPR_MS_11 - Test-Windows10_GDPR_MS_12 - Test-Windows10_GDPR_MS_13_1 - Test-Windows10_GDPR_MS_13_2 - Test-Windows10_GDPR_MS_13_3 - Test-Windows10_GDPR_MS_13_4 - Test-Windows10_GDPR_MS_13_5 - Test-Windows10_GDPR_MS_13_6 - Test-Windows10_GDPR_MS_13_7 - Test-Windows10_GDPR_MS_13_8 - Test-Windows10_GDPR_MS_13_9 - Test-Windows10_GDPR_MS_13_10 - Test-Windows10_GDPR_MS_13_11 - Test-Windows10_GDPR_MS_14 - Test-Windows10_GDPR_MS_15_1 - Test-Windows10_GDPR_MS_15_2 - Test-Windows10_GDPR_MS_16_1 - Test-Windows10_GDPR_MS_16_2 - Test-Windows10_GDPR_MS_18_1_1 - Test-Windows10_GDPR_MS_18_1_2 - Test-Windows10_GDPR_MS_18_1_3 - Test-Windows10_GDPR_MS_18_1_4 - Test-Windows10_GDPR_MS_18_2_1 - Test-Windows10_GDPR_MS_18_2_2 - Test-Windows10_GDPR_MS_18_3_1 - Test-Windows10_GDPR_MS_18_4_1 - Test-Windows10_GDPR_MS_18_5_1 - Test-Windows10_GDPR_MS_18_5_2 - Test-Windows10_GDPR_MS_18_6_1 - Test-Windows10_GDPR_MS_18_6_2 - Test-Windows10_GDPR_MS_18_7_1 - Test-Windows10_GDPR_MS_18_8 - Test-Windows10_GDPR_MS_18_9_1 - Test-Windows10_GDPR_MS_18_10 - Test-Windows10_GDPR_MS_18_11 - Test-Windows10_GDPR_MS_18_12_1 - Test-Windows10_GDPR_MS_18_12_3 - Test-Windows10_GDPR_MS_18_13_1 - Test-Windows10_GDPR_MS_18_14_1 - Test-Windows10_GDPR_MS_18_15_1 - Test-Windows10_GDPR_MS_18_15_2 - Test-Windows10_GDPR_MS_18_16_1 - Test-Windows10_GDPR_MS_18_16_2 - Test-Windows10_GDPR_MS_18_16_3 - Test-Windows10_GDPR_MS_18_16_4 - Test-Windows10_GDPR_MS_18_17 - Test-Windows10_GDPR_MS_18_18 - Test-Windows10_GDPR_MS_18_19 - Test-Windows10_GDPR_MS_18_20 - Test-Windows10_GDPR_MS_18_21 - Test-Windows10_GDPR_MS_18_22_1 - Test-Windows10_GDPR_MS_18_22_2 - Test-Windows10_GDPR_MS_18_22_3 - Test-Windows10_GDPR_MS_18_23_1 - Test-Windows10_GDPR_MS_18_23_2 - Test-Windows10_GDPR_MS_19 - Test-Windows10_GDPR_MS_20 - Test-Windows10_GDPR_MS_21_1 - Test-Windows10_GDPR_MS_21_2 - Test-Windows10_GDPR_MS_21_3 - Test-Windows10_GDPR_MS_22 - Test-Windows10_GDPR_MS_23 - Test-Windows10_GDPR_MS_24_0_1 - Test-Windows10_GDPR_MS_24_0_3 - Test-Windows10_GDPR_MS_24_0_4 - Test-Windows10_GDPR_MS_24_0_5 - Test-Windows10_GDPR_MS_24_0_6 - Test-Windows10_GDPR_MS_24_0_7 - Test-Windows10_GDPR_MS_24_1_1 - Test-Windows10_GDPR_MS_24_1_2 - Test-Windows10_GDPR_MS_24_1_3 - Test-Windows10_GDPR_MS_25_1 - Test-Windows10_GDPR_MS_25_2 - Test-Windows10_GDPR_MS_25_3 - Test-Windows10_GDPR_MS_25_4 - Test-Windows10_GDPR_MS_25_5 - Test-Windows10_GDPR_MS_25_6 - Test-Windows10_GDPR_MS_26_1 - Test-Windows10_GDPR_MS_26_2 - Test-Windows10_GDPR_MS_27 - Test-Windows10_GDPR_MS_28_3 - Test-Windows10_GDPR_MS_29_1 - Test-Windows10_GDPR_MS_29_2 - Test-Windows10_GDPR_MS_29_3 - Test-Windows10_GDPR_MS_29_4 - Test-Windows10_GDPR_MS_29_5 - Test-Windows10_GDPR_MS_29_6 - - ) - } - @{ - Title = 'Bundesamt für Sicherheit in der Informationstechnik (BSI)' - AuditInfos = @( - Test-Windows10_GDPR_BSI_3_1_1 - Test-Windows10_GDPR_BSI_3_1_2_1 - Test-Windows10_GDPR_BSI_3_1_2_2 - Test-Windows10_GDPR_BSI_3_1_3_1 - - ) - } - - ) - DarkMode = $DarkMode - } - - Get-ATAPHtmlReport @args -} - diff --git a/WindowsServer2016Audit/CISBenchmarks.psd1 b/WindowsServer2016Audit/CISBenchmarks.psd1 deleted file mode 100644 index 7e2b4150..00000000 --- a/WindowsServer2016Audit/CISBenchmarks.psd1 +++ /dev/null @@ -1,1812 +0,0 @@ -@{ - # registry values need to be checked - RegistrySettings = @( - # Account Policies - @{ - Id = "2.3.1.2" - Task = "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "NoConnectedUser" - Value = 3 - } - @{ - Id = "2.3.2.2" - Task = "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "CrashOnAuditFail" - Value = 0 - } - @{ - Id = "2.3.4.1" - Task = "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Name = "AllocateDASD" - Value = 0 - } - @{ - Id = "2.3.4.2" - Task = "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" - Name = "AddPrinterDrivers" - Value = 1 - } - @{ - Id = "2.3.5.1" - Task = "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" - Role = "PrimaryDomainController" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "SubmitControl" - Value = 0 - } - @{ - Id = "2.3.7.1" - Task = "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "DontDisplayLastUserName" - Value = 1 - } - @{ - Id = "2.3.7.2" - Task = "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "DisableCAD" - Value = 0 - } - @{ - Id = "2.3.9.4" - Task = "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "enableforcedlogoff" - Value = 1 - } - @{ - Id = "2.3.9.5" - Task = "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)" - Role = "MemberServer", "StandaloneServer" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "SMBServerNameHardeningLevel" - Value = 1 - } - @{ - Id = "2.3.10.6" - Task = "Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" - Role = "PrimaryDomainController" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "NullSessionPipes" - Value = "LSARPC", "NETLOGON", "SAMR" - } - @{ - Id = "2.3.10.7" - Task = "Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" - Role = "MemberServer", "StandaloneServer" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "NullSessionPipes" - Value = @("") - ValueType = "MultiString" - } - @{ - Id = "2.3.10.8" - Task = "Configure 'Network access: Remotely accessible registry paths'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" - Name = "Machine" - Value = @( - "System\CurrentControlSet\Control\ProductOptions", - "System\CurrentControlSet\Control\Server Applications", - "Software\Microsoft\Windows NT\CurrentVersion" - ) - } - @{ - Id = "2.3.10.9" - Task = "Configure 'Network access: Remotely accessible registry paths and sub-paths'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" - Name = "Machine" - Value = @( - "System\CurrentControlSet\Control\Print\Printers", - "System\CurrentControlSet\Services\Eventlog", - "Software\Microsoft\OLAP Server", - "Software\Microsoft\Windows NT\CurrentVersion\Print", - "Software\Microsoft\Windows NT\CurrentVersion\Windows", - "System\CurrentControlSet\Control\ContentIndex", - "System\CurrentControlSet\Control\Terminal Server", - "System\CurrentControlSet\Control\Terminal Server\UserConfig", - "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration", - "Software\Microsoft\Windows NT\CurrentVersion\Perflib", - "System\CurrentControlSet\Services\SysmonLog" - ) - } - @{ - Id = "2.3.10.12" - Task = "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "NullSessionShares" - Value = @("") - ValueType = "MultiString" - } - @{ - Id = "2.3.10.13" - Task = "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "ForceGuest" - Value = 0 - } - @{ - Id = "2.3.13.1" - Task = "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "ShutdownWithoutLogon" - Value = 0 - } - @{ - Id = "2.3.17.8" - Task = "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "PromptOnSecureDesktop" - Value = 1 - } - - # Control Panel - @{ - Id = "18.1.1.1" - Task = "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled" - - Path = "HKLM:\Software\Policies\Microsoft\Windows\Personalization" - Name = "NoLockScreenCamera" - Value = 1 - } - @{ - Id = "18.1.2.2" - Task = "Ensure 'Allow input personalization' is set to 'Disabled' " - - Path = "HKLM:\Software\Policies\Microsoft\InputPersonalization" - Name = "AllowInputPersonalization" - Value = 0 - } - @{ - Id = "18.1.3" - Task = "Ensure 'Allow Online Tips' is set to 'Disabled'" - - Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" - Name = "AllowOnlineTips" - Value = 0 - } - - # LAPS - # @{ - # Id = "18.2.1" - # Task = "Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - # Role = "MemberServer" - - # Path = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D087DE603E3EA}" - # Name = "DllName" - # Value = 1 #TODO: Need real value - # } - @{ - Id = "18.2.2" - Task = "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - Name = "PwdExpirationProtectionEnabled" - Value = 1 - } - @{ - Id = "18.2.3" - Task = "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - Name = "AdmPwdEnabled" - Value = 1 - } - @{ - Id = "18.2.4" - Task = "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' " - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - Name = "PasswordComplexity" - Value = 4 - } - @{ - Id = "18.2.5" - Task = "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - Name = "PasswordLength" - Value = 15 - SpecialValue = @{ - Type = "Range" - Value = "15 or greater" - } - } - @{ - Id = "18.2.6" - Task = "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd" - Name = "PasswordAgeDays" - Value = 30 - SpecialValue = @{ - Type = "Range" - Value = "30 or less" - } - } - - # MS Security - @{ - Id = "18.3.4" - Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" - Name = "DisableExceptionChainValidation" - Value = 0 - } - @{ - Id = "18.3.5" - Task = "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" - Name = "MpEnablePus" - Value = 1 - } - - # MSS - @{ - Id = "18.4.1" - Task = "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Name = "AutoAdminLogon" - Value = "0" - } - @{ - Id = "18.4.5" - Task = "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" - Name = "KeepAliveTime" - Value = 300000 - } - @{ - Id = "18.4.7" - Task = "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" - Name = "PerformRouterDiscovery" - Value = 0 - } - @{ - Id = "18.4.8" - Task = "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" - Name = "SafeDllSearchMode" - Value = 1 - } - @{ - Id = "18.4.9" - Task = "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Name = "ScreenSaverGracePeriod" - Value = 5 - SpecialValue = @{ - Type = "Range" - Value = "5 seconds or less" - } - } - @{ - Id = "18.4.10" - Task = "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" - Name = "TcpMaxDataRetransmissions" - Value = 3 - } - @{ - Id = "18.4.11" - Task = "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" - Name = "TcpMaxDataRetransmissions" - Value = 3 - } - @{ - Id = "18.4.12" - Task = "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security" - Name = "WarningLevel" - Value = 90 - SpecialValue = @{ - Type = "Range" - Value = "90 percent or less" - } - } - - # Network - @{ - Id = "18.5.5.1" - Task = "Ensure 'Enable Font Providers' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "EnableFontProviders" - Value = 0 - } - @{ - Id = "18.5.9.1 A" - Task = "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "AllowLLTDIOOnDomain" - Value = 0 - } - @{ - Id = "18.5.9.1 B" - Task = "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "AllowLLTDIOOnPublicNet" - Value = 0 - } - @{ - Id = "18.5.9.1 C" - Task = "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "EnableLLTDIO" - Value = 0 - } - @{ - Id = "18.5.9.1 D" - Task = "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "ProhibitLLTDIOOnPrivateNet" - Value = 0 - } - @{ - Id = "18.5.9.2 A" - Task = "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "AllowRspndrOnDomain" - Value = 0 - } - @{ - Id = "18.5.9.2 B" - Task = "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "AllowRspndrOnPublicNet" - Value = 0 - } - @{ - Id = "18.5.9.2 C" - Task = "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "EnableRspndr" - Value = 0 - } - @{ - Id = "18.5.9.2 D" - Task = "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" - Name = "ProhibitRspndrOnPrivateNet" - Value = 0 - } - @{ - Id = "18.5.10.2" - Task = "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Peernet" - Name = "Disabled" - Value = 1 - } - @{ - Id = "18.5.11.2" - Task = "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" - Name = "NC_AllowNetBridge_NLA" - Value = 0 - } - @{ - Id = "18.5.11.3" - Task = "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" - Name = "NC_ShowSharedAccessUI" - Value = 0 - } - @{ - Id = "18.5.11.4" - Task = "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" - Name = "NC_StdDomainUserSetLocation" - Value = 1 - } - @{ - Id = "18.5.20.1 A" - Task = "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" - Name = "EnableRegistrars" - Value = 0 - } - @{ - Id = "18.5.20.1 B" - Task = "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" - Name = "DisableUPnPRegistrar" - Value = 0 - } - @{ - Id = "18.5.20.1 C" - Task = "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" - Name = "DisableInBand802DOT11Registrar" - Value = 0 - } - @{ - Id = "18.5.20.1 D" - Task = "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" - Name = "DisableFlashConfigRegistrar" - Value = 0 - } - @{ - Id = "18.5.20.1 E" - Task = "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" - Name = "DisableWPDRegistrar" - Value = 0 - } - @{ - Id = "18.5.20.2" - Task = "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI" - Name = "DisableWcnUi" - Value = 1 - } - @{ - Id = "18.5.21.1" - Task = "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" - Name = "fMinimizeConnections" - Value = 1 - } - @{ - Id = "18.5.21.2" - Task = "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" - Name = "fBlockNonDomain" - Value = 1 - } - - # System - @{ - Id = "18.8.4.1" - Task = "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" - Name = "AllowProtectedCreds" - Value = 1 - } - @{ - Id = "18.8.5.4" - Task = "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - Name = "HVCIMATRequired" - Value = 1 - } - @{ - Id = "18.8.21.2" - Task = "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" - Name = "NoBackgroundPolicy" - Value = 0 - } - @{ - Id = "18.8.21.4" - Task = "Ensure 'Continue experiences on this device' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "EnableCdp" - Value = 0 - } - @{ - Id = "18.8.21.5" - Task = "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "DisableBkGndGroupPolicy" - DoesNotExist = $true - } - @{ - Id = "18.8.22.1.2" - Task = "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC" - Name = "PreventHandwritingDataSharing" - Value = 1 - } - @{ - Id = "18.8.22.1.3" - Task = "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" - Name = "PreventHandwritingErrorReports" - Value = 1 - } - @{ - Id = "18.8.22.1.4" - Task = "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard" - Name = "ExitOnMSICW" - Value = 1 - } - @{ - Id = "18.8.22.1.5" - Task = "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - Name = "NoWebServices" - Value = 1 - } - @{ - Id = "18.8.22.1.7" - Task = "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control" - Name = "NoRegistration" - Value = 1 - } - @{ - Id = "18.8.22.1.8" - Task = "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion" - Name = "DisableContentFileUpdates" - Value = 1 - } - @{ - Id = "18.8.22.1.9" - Task = "Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - Name = "NoOnlinePrintsWizard" - Value = 1 - } - @{ - Id = "18.8.22.1.10" - Task = "Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - Name = "NoPublishingWizard" - Value = 1 - } - @{ - Id = "18.8.22.1.11" - Task = "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Messenger\Client" - Name = "CEIP" - Value = 2 - } - @{ - Id = "18.8.22.1.12" - Task = "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows" - Name = "CEIPEnable" - Value = 0 - } - @{ - Id = "18.8.22.1.13 A" - Task = "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" - Name = "Disabled" - Value = 1 - } - @{ - Id = "18.8.22.1.13 B" - Task = "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" - Name = "DoReport" - Value = 0 - } - @{ - Id = "18.8.25.1 A" - Task = "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" - Name = "DevicePKInitBehavior" - Value = 0 - } - @{ - Id = "18.8.25.1 B" - Task = "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" - Name = "DevicePKInitEnabled" - Value = 1 - } - @{ - Id = "18.8.26.1" - Task = "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International" - Name = "BlockUserInputMethodsForSignIn" - Value = 1 - } - @{ - Id = "18.8.27.1" - Task = "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "BlockUserFromShowingAccountDetailsOnSignin" - Value = 1 - } - @{ - Id = "18.8.27.3" - Task = "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "DontEnumerateConnectedUsers" - Value = 1 - } - @{ - Id = "18.8.27.5" - Task = "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "DisableLockScreenAppNotifications" - Value = 1 - } - @{ - Id = "18.8.27.6" - Task = "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "BlockDomainPicturePassword" - Value = 1 - } - @{ - Id = "18.8.27.7" - Task = "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "AllowDomainPINLogon" - Value = 0 - } - # @{ - # Id = "18.8.28.1" - # Task = "Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'" - - # Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions" - # Name = "MitigationOptions_FontBocking" - # Value = 1000000000000 - # } - @{ - Id = "18.8.33.6.1" - Task = "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" - Name = "DCSettingIndex" - Value = 0 - } - @{ - Id = "18.8.33.6.2" - Task = "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" - Name = "ACSettingIndex" - Value = 0 - } - @{ - Id = "18.8.35.1" - Task = "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fAllowUnsolicited" - Value = 0 - } - @{ - Id = "18.8.35.2" - Task = "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fAllowToGetHelp" - Value = 0 - } - @{ - Id = "18.8.36.1" - Task = "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" - Role = "MemberServer", "StandaloneServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" - Name = "EnableAuthEpResolution" - Value = 1 - } - @{ - Id = "18.8.44.5.1" - Task = "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" - Name = "DisableQueryRemoteServer" - Value = 0 - } - @{ - Id = "18.8.44.11.1" - Task = "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" - Name = "ScenarioExecutionEnabled" - Value = 0 - } - @{ - Id = "18.8.46.1" - Task = "Ensure 'Turn off the advertising ID' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\policies\Microsoft\Windows\AdvertisingInfo" - Name = "DisabledByGroupPolicy" - Value = 1 - } - @{ - Id = "18.8.49.1.1" - Task = "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" - Name = "Enabled" - Value = 1 - } - @{ - Id = "18.8.49.1.2" - Task = "Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" - Name = "Enabled" - Value = 0 - } - - # Windows Compontents - @{ - Id = "18.9.4.1" - Task = "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" - Name = "AllowSharedLocalAppData" - Value = 0 - } - @{ - Id = "18.9.10.1" - Task = "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" - Name = "EnhancedAntiSpoofing" - Value = 1 - } - @{ - Id = "18.9.12.1" - Task = "Ensure 'Allow Use of Camera' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Camera" - Name = "AllowCamera" - Value = 0 - } - @{ - Id = "18.9.13.1" - Task = "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" - Name = "DisableWindowsConsumerFeatures" - Value = 1 - } - @{ - Id = "18.9.14.1" - Task = "Ensure 'Require pin for pairing' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect" - Name = "RequirePinForPairing" - Value = 1 - } - @{ - Id = "18.9.15.1" - Task = "Ensure 'Do not display the password reveal button' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredUI" - Name = "DisablePasswordReveal" - Value = 1 - } - @{ - Id = "18.9.16.2" - Task = "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" - Name = "DisableEnterpriseAuthProxy" - Value = 1 - } - @{ - Id = "18.9.16.3" - Task = "Ensure 'Disable pre-release features or settings' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" - Name = "EnableConfigFlighting" - Value = 0 - } - @{ - Id = "18.9.16.4" - Task = "Ensure 'Do not show feedback notifications' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" - Name = "DoNotShowFeedbackNotifications" - Value = 1 - } - @{ - Id = "18.9.16.5" - Task = "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" - Name = "AllowBuildPreview" - Value = 0 - } - @{ - Id = "18.9.26.1.1" - Task = "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" - Name = "Retention" - Value = "0" - } - @{ - Id = "18.9.26.2.1" - Task = "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" - Name = "Retention" - Value = "0" - } - @{ - Id = "18.9.26.3.1" - Task = "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" - Name = "Retention" - Value = "0" - } - @{ - Id = "18.9.26.3.2" - Task = "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" - Name = "MaxSize" - Value = 32768 - SpecialValue = @{ - Type = "Range" - Value = "32768 or greater" - } - } - @{ - Id = "18.9.26.4.1" - Task = "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" - Name = "Retention" - Value = "0" - } - @{ - Id = "18.9.39.2" - Task = "Ensure 'Turn off location' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" - Name = "DisableLocation" - Value = 1 - } - @{ - Id = "18.9.43.1" - Task = "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging" - Name = "AllowMessageSync" - Value = 0 - } - @{ - Id = "18.9.44.1" - Task = "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount" - Name = "DisableUserAuth" - Value = 1 - } - @{ - Id = "18.9.52.1" - Task = "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" - Name = "DisableFileSyncNGSC" - Value = 1 - } - @{ - Id = "18.9.58.3.3.1" - Task = "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fDisableCcm" - Value = 1 - } - @{ - Id = "18.9.58.3.3.3" - Task = "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fDisableLPT" - Value = 1 - } - @{ - Id = "18.9.58.3.3.4" - Task = "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fDisablePNPRedir" - Value = 1 - } - @{ - Id = "18.9.58.3.10.1" - Task = "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "MaxIdleTime" - Value = 900000 - SpecialValue = @{ - Type = "Range" - Value = "900000 milliseconds or less" - } - } - @{ - Id = "18.9.58.3.10.2" - Task = "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "MaxDisconnectionTime" - Value = 60000 - } - @{ - Id = "18.9.58.3.11.1" - Task = "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "DeleteTempDirsOnExit" - Value = 1 - } - @{ - Id = "18.9.58.3.11.2" - Task = "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "PerSessionTempDir" - Value = 1 - } - @{ - Id = "18.9.60.2" - Task = "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - Name = "AllowCloudSearch" - Value = 0 - } - @{ - Id = "18.9.65.1" - Task = "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" - Name = "NoGenTicket" - Value = 1 - } - # use Get-MpPreference - - @{ - Id = "18.9.76.3.1" - Task = "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" - Name = "LocalSettingOverrideSpynetReporting" - Value = 0 - } - @{ - Id = "18.9.76.3.2" - Task = "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" - Name = "SpynetReporting" - Value = 0 - } - @{ - Id = "18.9.76.7.1" - Task = "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" - Name = "DisableBehaviorMonitoring" - Value = 0 - } - @{ - Id = "18.9.76.9.1" - Task = "Ensure 'Configure Watson events' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" - Name = "DisableGenericRePorts" - Value = 1 - } - @{ - Id = "18.9.76.10.1" - Task = "Ensure 'Scan removable drives' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" - Name = "DisableRemovableDriveScanning" - Value = 0 - } - @{ - Id = "18.9.76.10.2" - Task = "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" - Name = "DisableEmailScanning" - Value = 0 - } - @{ - Id = "18.9.76.13.1.1" - Task = "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" - Name = "ExploitGuard_ASR_Rules" - Value = 1 - } - @{ - Id = "18.9.76.13.1.2 A" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" - Value = "1" - } - @{ - Id = "18.9.76.13.1.2 B" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "3b576869-a4ec-4529-8536-b80a7769e899" - Value = "1" - } - @{ - Id = "18.9.76.13.1.2 C" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" - Value = "1" - } - @{ - Id = "18.9.76.13.1.2 D" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" - Value = "1" - } - @{ - Id = "18.9.76.13.1.2 E" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" - Value = "1" - } - @{ - Id = "18.9.76.13.1.2 F" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "d3e037e1-3eb8-44c8-a917-57927947596d" - Value = "1" - } - @{ - Id = "18.9.76.13.1.2 G" - Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" - Name = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" - Value = "1" - } - @{ - Id = "18.9.76.13.3.1" - Task = "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" - Name = "EnableNetworkProtection" - Value = 1 - } - @{ - Id = "18.9.76.14" - Task = "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" - Name = "DisableAntiSpyware" - Value = 0 - } - @{ # found under Computer Configuration\Administrative Templates\Windows Components\Windows Security\App and browser protection - Id = "18.9.79.1.1" - Task = "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" - Name = "DisallowExploitProtectionOverride" - Value = 1 - } - @{ - Id = "18.9.80.1.1 A" - Task = "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - - Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\System" - Name = "EnableSmartScreen" - Value = 1 - } - @{ - Id = "18.9.80.1.1 B" - Task = "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - - Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\System" - Name = "ShellSmartScreenLevel" - Value = "Block" - } - @{ - Id = "18.9.84.1" - Task = "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" - Name = "AllowSuggestedAppsInWindowsInkWorkspace" - Value = 0 - } - @{ - Id = "18.9.84.2" - Task = "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" - Name = "AllowWindowsInkWorkspace" - Value = 0 - } - @{ - Id = "18.9.95.2" - Task = "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" - Name = "EnableTranscripting" - Value = 0 - } - # breaks PowerShell DSC - # @{ - # Id = "18.9.97.2.2" - # Task = "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" - - # Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" - # Name = "AllowAutoConfig" - # Value = 0 - # } - @{ - Id = "18.9.98.1" - Task = "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS" - Name = "AllowRemoteShellAccess" - Value = 0 - } - @{ - Id = "18.9.101.1.1 A" - Task = "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "ManagePreviewBuilds" - Value = 1 - } - - @{ - Id = "18.9.101.1.1 B" - Task = "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "ManagePreviewBuildsPolicyValue" - Value = 0 - } - @{ - Id = "18.9.101.1.2 A" - Task = "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "DeferFeatureUpdates" - Value = 1 - } - @{ - Id = "18.9.101.1.2 B" - Task = "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "DeferFeatureUpdatesPeriodInDays" - Value = 180 - SpecialValue = @{ - Type = "Range" - Value = "180 days or greater" - } - } - @{ - Id = "18.9.101.1.2 C" - Task = "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "BranchReadinessLevel" - Value = 32 - } - @{ - Id = "18.9.101.1.3 A" - Task = "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "DeferQualityUpdates" - Value = 1 - } - @{ - Id = "18.9.101.1.3 B" - Task = "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" - Name = "DeferQualityUpdatesPeriodInDays" - Value = 0 - } - @{ - Id = "18.9.101.2" - Task = "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" - Name = "NoAutoUpdate" - Value = 0 - } - @{ - Id = "18.9.101.3" - Task = "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" - Name = "ScheduledInstallDay" - Value = 0 - } - @{ - Id = "18.9.101.4" - Task = "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" - Name = "NoAutoRebootWithLoggedOnUsers" - Value = 0 - } - ) - UserRights = @( - @{ - Id = "2.2.6" - Task = "Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" - - Policy = "SeIncreaseQuotaPrivilege" - Identity = "Administrators", "Local Service", "Network Service" - } - @{ - Id = "2.2.9" - Task = "Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" - Role = "MemberServer" - - Policy = "SeRemoteInteractiveLogonRight" - Identity = "Administrators", "Remote Desktop Users" - } - @{ - Id = "2.2.11" - Task = "Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" - - Policy = "SeSystemtimePrivilege" - Identity = "Administrators", "Local Service" - } - @{ - Id = "2.2.12" - Task = "Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" - - Policy = "SeTimeZonePrivilege" - Identity = "Administrators", "Local Service" - } - # ??? - # @{ - # Id = "2.2.18" - # Task = "Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)" - - # Policy = "Create_symbolic_links" - # Identity = "Administrators" - # } - # ??? - # @{ - # Id = "2.2.32" - # Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)" - - # Policy = "Create_symbolic_links" - # Identity = "Administrators" - # } - @{ - Id = "2.2.39" - Task = "Ensure 'Modify an object label' is set to 'No One'" - - Policy = "SeRelabelPrivilege" - Identity = @() - } - @{ - Id = "2.2.43" - Task = "Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" - - Policy = "SeSystemProfilePrivilege" - Identity = "Administrators", "NT SERVICE\WdiServiceHost" - } - @{ - Id = "2.2.44" - Task = "Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" - - Policy = "SeAssignPrimaryTokenPrivilege" - Identity = "Local Service", "Network Service" - } - @{ - Id = "2.2.46" - Task = "Ensure 'Shut down the system' is set to 'Administrators'" - - Policy = "SeShutdownPrivilege" - Identity = "Administrators" - } - @{ - Id = "2.2.47" - Task = "Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" - Role = "PrimaryDomainController" - - Policy = "SeSyncAgentPrivilege" - Identity = @() - } - ) - AccountPolicies = @( - @{ - Id = "2.3.1.1" - Task = "Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)" - Role = "MemberServer" - - Policy = "EnableAdminAccount" - Value = "0" - } - ) - FirewallProfileSettings = @( - @{ - Id = "9.1.1" - Task = "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" - - Profile = "Domain" - Setting = "Enabled" - Value = "True" - } - @{ - Id = "9.1.2" - Task = "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - - Profile = "Domain" - Setting = "DefaultInboundAction" - Value = "Block" - } - @{ - Id = "9.1.3" - Task = "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - - Profile = "Domain" - Setting = "DefaultOutboundAction" - Value = "Allow" - } - @{ - Id = "9.1.4" - Task = "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - - Profile = "Domain" - Setting = "NotifyOnListen" - Value = "False" - } - @{ - Id = "9.1.5" - Task = "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'" - - Profile = "Domain" - Setting = "LogFileName" - Value = "%systemroot%\system32\LogFiles\Firewall\domainfw.log" - } - @{ - Id = "9.1.6" - Task = "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - - Profile = "Domain" - Setting = "LogMaxSizeKilobytes" - Value = 16384 - SpecialValue = @{ - Type = "Range" - Value = "16384 KB or greater" - } - } - @{ - Id = "9.1.7" - Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - - Profile = "Domain" - Setting = "LogBlocked" - Value = "True" - } - @{ - Id = "9.1.8" - Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - - Profile = "Domain" - Setting = "LogAllowed" - Value = "True" - } - - - @{ - Id = "9.2.1" - Task = "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" - - Profile = "Private" - Setting = "Enabled" - Value = "True" - } - @{ - Id = "9.2.2" - Task = "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - - Profile = "Private" - Setting = "DefaultInboundAction" - Value = "Block" - } - @{ - Id = "9.2.3" - Task = "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - - Profile = "Private" - Setting = "DefaultOutboundAction" - Value = "Allow" - } - @{ - Id = "9.2.4" - Task = "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - - Profile = "Private" - Setting = "NotifyOnListen" - Value = "False" - } - @{ - Id = "9.2.5" - Task = "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'" - - Profile = "Private" - Setting = "LogFileName" - Value = "%systemroot%\system32\LogFiles\Firewall\privatefw.log" - } - @{ - Id = "9.2.6" - Task = "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - - Profile = "Private" - Setting = "LogMaxSizeKilobytes" - Value = 16384 - SpecialValue = @{ - Type = "Range" - Value = "16384 KB or greater" - } - } - @{ - Id = "9.2.7" - Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - - Profile = "Private" - Setting = "LogBlocked" - Value = "True" - } - @{ - Id = "9.2.8" - Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - - Profile = "Private" - Setting = "LogAllowed" - Value = "True" - } - - - @{ - Id = "9.3.1" - Task = "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" - - Profile = "Public" - Setting = "Enabled" - Value = "True" - } - @{ - Id = "9.3.2" - Task = "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - - Profile = "Public" - Setting = "DefaultInboundAction" - Value = "Block" - } - @{ - Id = "9.3.3" - Task = "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - - Profile = "Public" - Setting = "DefaultOutboundAction" - Value = "Allow" - } - @{ - Id = "9.3.4" - Task = "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" - - Profile = "Public" - Setting = "NotifyOnListen" - Value = "False" - } - # Run Get-NetFirewallProfile -Name Public -PolicyStore localhost - # @{ # Problems - # Id = "9.3.5" - # Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - - # Profile = "Public" - # Setting = "AllowLocalFirewallRules" - # Value = "False" - # } - # @{ # Problems - # Id = "9.3.6" - # Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - - # Profile = "Public" - # Setting = "AllowLocalIPsecRules" - # Value = "False" - # } - @{ - Id = "9.3.7" - Task = "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'" - - Profile = "Public" - Setting = "LogFileName" - Value = "%systemroot%\system32\LogFiles\Firewall\publicfw.log" - } - @{ - Id = "9.3.8" - Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - - Profile = "Public" - Setting = "LogMaxSizeKilobytes" - Value = 16384 - SpecialValue = @{ - Type = "Range" - Value = "16384 KB or greater" - } - } - @{ - Id = "9.3.9" - Task = "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - - Profile = "Public" - Setting = "LogBlocked" - Value = "True" - } - @{ - Id = "9.3.10" - Task = "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - - Profile = "Public" - Setting = "LogAllowed" - Value = "True" - } - ) - AuditPolicies = @( - @{ - Id = "17.1.1" - Task = "Credential Validation is set to Success and Failure" - - Subcategory = "Credential Validation" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.2.1" - Task = "Application Group Management is set to Success and Failure" - - Subcategory = "Application Group Management" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.2.2" - Task = "Computer Account Management is set to Success and Failure" - - Subcategory = "Computer Account Management" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.2.4" - Task = "Other Account Management Events is set to Success and Failure" - - Subcategory = "Other Account Management Events" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.2.5" - Task = "Security Group Management is set to Success and Failure" - - Subcategory = "Security Group Management" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.2.6" - Task = "User Account Management is set to Success and Failure" - - Subcategory = "User Account Management" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.3.1" - Task = "Plug and Play Events is set to Success" - - Subcategory = "Plug and Play Events" - AuditFlag = 'Success' - } - @{ - Id = "17.3.2" - Task = "Process Creation is set to Success" - - Subcategory = "Process Creation" - AuditFlag = 'Success' - } - @{ - Id = "17.5.1" - Task = "Account Lockout is set to Success and Failure" - - Subcategory = "Account Lockout" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.5.2" - Task = "Group Membership is set to Success" - - Subcategory = "Group Membership" - AuditFlag = 'Success' - } - @{ - Id = "17.5.3" - Task = "Logoff is set to Success" - - Subcategory = "Logoff" - AuditFlag = 'Success' - } - @{ - Id = "17.5.4" - Task = "Logon is set to Success and Failure" - - Subcategory = "Logon" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.5.5" - Task = "Other Logon/Logoff Events is set to Success and Failure" - - Subcategory = "Other Logon/Logoff Events" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.5.6" - Task = "Special Logon is set to Success" - - Subcategory = "Special Logon" - AuditFlag = 'Success' - } - @{ - Id = "17.6.1" - Task = "Removable Storage is set to Success and Failure" - - Subcategory = "Removable Storage" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.7.1" - Task = "Audit Policy Change is set to Success and Failure" - - Subcategory = "Audit Policy Change" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.7.2" - Task = "Authentication Policy Change is set to Success" - - Subcategory = "Authentication Policy Change" - AuditFlag = 'Success' - } - @{ - Id = "17.7.3" - Task = "Authorization Policy Change is set to Success" - - Subcategory = "Authorization Policy Change" - AuditFlag = 'Success' - } - @{ - Id = "17.8.1" - Task = "Sensitive Privilege Use is set to Success and Failure" - - Subcategory = "Sensitive Privilege Use" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.9.1" - Task = "IPsec Driver is set to Success and Failure" - - Subcategory = "IPsec Driver" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.9.2" - Task = "Other System Events is set to Success and Failure" - - Subcategory = "Other System Events" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.9.3" - Task = "Security State Change is set to Success" - - Subcategory = "Security State Change" - AuditFlag = 'Success' - } - @{ - Id = "17.9.4" - Task = "Security System Extension is set to Success and Failure" - - Subcategory = "Security System Extension" - AuditFlag = 'Success and Failure' - } - @{ - Id = "17.9.5" - Task = "System Integrity is set to Success and Failure" - - Subcategory = "System Integrity" - AuditFlag = 'Success and Failure' - } - ) -} \ No newline at end of file diff --git a/WindowsServer2016Audit/DISARequirements.psd1 b/WindowsServer2016Audit/DISARequirements.psd1 deleted file mode 100644 index 9883944a..00000000 --- a/WindowsServer2016Audit/DISARequirements.psd1 +++ /dev/null @@ -1,1542 +0,0 @@ -@{ - RegistrySettings = @( - @{ - Id = "WN16-CC-000280" - Task = "Administrator accounts must not be enumerated during elevation." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" - Name = "EnumerateAdministrators" - Value = 0 - } - @{ - Id = "WN16-CC-000010" - Task = "The display of slide shows on the lock screen must be disabled." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" - Name = "NoLockScreenSlideshow" - Value = 1 - } - @{ - Id = "WN16-MS-000020" - Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "LocalAccountTokenFilterPolicy" - Value = 0 - } - @{ - Id = "WN16-CC-000030" - Task = "WDigest Authentication must be disabled." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" - Name = "UseLogonCredential" - Value = 0 - } - @{ - Id = "WN16-CC-000040" - Task = "Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" - Name = "DisableIPSourceRouting" - Value = 2 - } - @{ - Id = "WN16-CC-000050" - Task = "Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" - Name = "DisableIPSourceRouting" - Value = 2 - } - @{ - Id = "WN16-CC-000060" - Task = "Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" - Name = "EnableICMPRedirect" - Value = 0 - } - @{ - Id = "WN16-CC-000070" - Task = "Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" - Name = "NoNameReleaseOnDemand" - Value = 1 - } - @{ - Id = "WN16-CC-000080" - Task = "Insecure logons to an SMB server must be disabled." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" - Name = "AllowInsecureGuestAuth" - Value = 0 - } - @{ - Id = "WN16-CC-000090 A" - Task = "Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" - Name = "\\*\NETLOGON" - Value = "RequireMutualAuthentication=1, RequireIntegrity=1" - } - @{ - Id = "WN16-CC-000090 B" - Task = "Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" - Name = "\\*\SYSVOL" - Value = "RequireMutualAuthentication=1, RequireIntegrity=1" - } - @{ - Id = "WN16-CC-000100" - Task = "Command line data must be included in process creation events." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" - Name = "ProcessCreationIncludeCmdLine_Enabled" - Value = 1 - } - @{ - Id = "WN16-CC-000110 A" - Task = "Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - Name = "EnableVirtualizationBasedSecurity" - Value = 1 - } - @{ - Id = "WN16-CC-000110 B" - Task = "Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - Name = "RequirePlatformSecurityFeatures" - Value = 3 - } - @{ - Id = "WN16-CC-000120" - Task = "Credential Guard must be running on domain-joined member servers." - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - Name = "LsaCfgFlags" - Value = 1 - } - @{ - Id = "WN16-CC-000130" - Task = "Virtualization-based protection of code integrity must be enabled on domain-joined systems." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" - Name = "HypervisorEnforcedCodeIntegrity" - Value = 1 - } - @{ - Id = "WN16-CC-000140" - Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" - Name = "DriverLoadPolicy" - Value = 8 - } - @{ - Id = "WN16-CC-000150" - Task = "Group Policy objects must be reprocessed even if they have not changed." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" - Name = "NoGPOListChanges" - Value = 0 - } - @{ - Id = "WN16-CC-000160" - Task = "Downloading print driver packages over HTTP must be prevented." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" - Name = "DisableWebPnPDownload" - Value = 1 - } - @{ - Id = "WN16-CC-000170" - Task = "Printing over HTTP must be prevented." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" - Name = "DisableHTTPPrinting" - Value = 1 - } - @{ - Id = "WN16-CC-000180" - Task = "The network selection user interface (UI) must not be displayed on the logon screen." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "DontDisplayNetworkSelectionUI" - Value = 1 - } - @{ - Id = "WN16-MS-000030" - Task = "Local users on domain-joined computers must not be enumerated." - Role = "MemberServer" - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "EnumerateLocalUsers" - Value = 0 - } - # @{ - # Id = "WN16-CC-000200" - # Task = "Windows Server 2016 must be configured to block untrusted fonts from loading." - - # Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions" - # Name = "MitigationOptions_FontBocking" - # Value = "1000000000000" - # } - @{ - Id = "WN16-CC-000210" - Task = "Users must be prompted to authenticate when the system wakes from sleep (on battery)." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" - Name = "DCSettingIndex" - Value = 1 - } - @{ - Id = "WN16-CC-000220" - Task = "Users must be prompted to authenticate when the system wakes from sleep (plugged in)." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" - Name = "ACSettingIndex" - Value = 1 - } - @{ - Id = "WN16-MS-000040" - Task = "Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" - Name = "RestrictRemoteClients" - Value = 1 - } - @{ - Id = "WN16-CC-000240" - Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat" - Name = "DisableInventory" - Value = 1 - } - @{ - Id = "WN16-CC-000250" - Task = "AutoPlay must be turned off for non-volume devices." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" - Name = "NoAutoplayfornonVolume" - Value = 1 - } - @{ - Id = "WN16-CC-000260" - Task = "The default AutoRun behavior must be configured to prevent AutoRun commands." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - Name = "NoAutorun" - Value = 1 - } - @{ - Id = "WN16-CC-000270" - Task = "AutoPlay must be disabled for all drives." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" - Name = "NoDriveTypeAutoRun" - Value = 255 - } - @{ - Id = "WN16-CC-000290" - Task = "Windows Telemetry must be configured to Security or Basic." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" - Name = "AllowTelemetry" - Value = 0 - } - @{ - Id = "WN16-CC-000300" - Task = "The Application event log size must be configured to 32768 KB or greater." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" - Name = "MaxSize" - Value = 32768 - } - @{ - Id = "WN16-CC-000310" - Task = "The Security event log size must be configured to 196608 KB or greater." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" - Name = "MaxSize" - Value = 196608 - } - @{ - Id = "WN16-CC-000320" - Task = "The System event log size must be configured to 32768 KB or greater." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" - Name = "MaxSize" - Value = 32768 - } - @{ - Id = "WN16-CC-000330" - Task = "Windows SmartScreen must be enabled." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" - Name = "EnableSmartScreen" - Value = 1 - } - @{ - Id = "WN16-CC-000340" - Task = "Explorer Data Execution Prevention must be enabled." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" - Name = "NoDataExecutionPrevention" - Value = 0 - } - @{ - Id = "WN16-CC-000350" - Task = "Turning off File Explorer heap termination on corruption must be disabled." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" - Name = "NoHeapTerminationOnCorruption" - Value = 0 - } - @{ - Id = "WN16-CC-000360" - Task = "File Explorer shell protocol must run in protected mode." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" - Name = "PreXPSP2ShellProtocolBehavior" - Value = 0 - } - @{ - Id = "WN16-CC-000370" - Task = "Passwords must not be saved in the Remote Desktop Client." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "DisablePasswordSaving" - Value = 1 - } - @{ - Id = "WN16-CC-000380" - Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fDisableCdm" - Value = 1 - } - @{ - Id = "WN16-CC-000390" - Task = "Remote Desktop Services must always prompt a client for passwords upon connection." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fPromptForPassword" - Value = 1 - } - @{ - Id = "WN16-CC-000400" - Task = "The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "fEncryptRPCTraffic" - Value = 1 - } - @{ - Id = "WN16-CC-000410" - Task = "Remote Desktop Services must be configured with the client connection encryption set to High Level." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" - Name = "MinEncryptionLevel" - Value = 3 - } - @{ - Id = "WN16-CC-000420" - Task = "Attachments must be prevented from being downloaded from RSS feeds." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" - Name = "DisableEnclosureDownload" - Value = 1 - } - @{ - Id = "WN16-CC-000430" - Task = "Basic authentication for RSS feeds over HTTP must not be used." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" - Name = "AllowBasicAuthInClear" - Value = 0 - } - @{ - Id = "WN16-CC-000440" - Task = "Indexing of encrypted files must be turned off." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" - Name = "AllowIndexingEncryptedStoresOrItems" - Value = 0 - } - @{ - Id = "WN16-CC-000450" - Task = "Users must be prevented from changing installation options." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" - Name = "EnableUserControl" - Value = 0 - } - @{ - Id = "WN16-CC-000460" - Task = "The Windows Installer Always install with elevated privileges option must be disabled." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" - Name = "AlwaysInstallElevated" - Value = 0 - } - @{ - Id = "WN16-CC-000470" - Task = "Users must be notified if a web-based program attempts to install software." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" - Name = "SafeForScripting" - Value = 0 - } - @{ - Id = "WN16-CC-000480" - Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "DisableAutomaticRestartSignOn" - Value = 1 - } - @{ - Id = "WN16-CC-000490" - Task = "PowerShell script block logging must be enabled." - - Path = "HKLM:\SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" - Name = "EnableScriptBlockLogging" - Value = 1 - } - @{ - Id = "WN16-CC-000500" - Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" - Name = "AllowBasic" - Value = 0 - } - @{ - Id = "WN16-CC-000510" - Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" - Name = "AllowUnencryptedTraffic" - Value = 0 - } - @{ - Id = "WN16-CC-000520" - Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" - Name = "AllowDigest" - Value = 0 - } - @{ - Id = "WN16-CC-000530" - Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" - Name = "AllowBasic" - Value = 0 - } - @{ - Id = "WN16-CC-000540" - Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" - Name = "AllowUnencryptedTraffic" - Value = 0 - } - @{ - Id = "WN16-CC-000550" - Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" - Name = "DisableRunAs" - Value = 1 - } - @{ - Id = "WN16-SO-000020" - Task = "Local accounts with blank passwords must be restricted to prevent access from the network." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "LimitBlankPasswordUse" - Value = 1 - } - @{ - Id = "WN16-SO-000050" - Task = "Audit policy using subcategories must be enabled." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "SCENoApplyLegacyAuditPolicy" - Value = 1 - } - @{ - Id = "WN16-DC-000320" - Task = "Domain controllers must require LDAP access signing." - Role = "PrimaryDomainController" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" - Name = "LDAPServerIntegrity" - Value = 2 - } - @{ - Id = "WN16-DC-000330" - Task = "Domain controllers must be configured to allow reset of machine account passwords." - Role = "PrimaryDomainController" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "RefusePasswordChange" - Value = 0 - } - @{ - Id = "WN16-SO-000080" - Task = "Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." - Role = "MemberServer" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "RequireSignOrSeal" - Value = 1 - } - @{ - Id = "WN16-SO-000090" - Task = "Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." - Role = "MemberServer" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "SealSecureChannel" - Value = 1 - } - @{ - Id = "WN16-SO-000100" - Task = "Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." - Role = "MemberServer" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "SignSecureChannel" - Value = 1 - } - @{ - Id = "WN16-SO-000110" - Task = "The computer account password must not be prevented from being reset." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "DisablePasswordChange" - Value = 0 - } - @{ - Id = "WN16-SO-000120" - Task = "The maximum age for machine account passwords must be configured to 30 days or less." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "MaximumPasswordAge" - Value = 30 - SpecialValue = @{ - Type = "Range" - Value = "30 days or less, but not 0" - } - } - @{ - Id = "WN16-SO-000130" - Task = "Windows Server 2016 must be configured to require a strong session key." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" - Name = "RequireStrongKey" - Value = 1 - } - @{ - Id = "WN16-SO-000140" - Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "InactivityTimeoutSecs" - Value = 900 - SpecialValue = @{ - Type = "Range" - Value = "900 seconds or less, but not 0" - } - } - @{ - Id = "WN16-SO-000150" - Task = "The required legal notice must be configured to display before console logon." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "LegalNoticeText" - - SpecialValue = @{ - Type = "Placeholder" - Value = "LegalNoticeText" - } - } - @{ - Id = "WN16-SO-000160" - Task = "The Windows dialog box title for the legal banner must be configured with the appropriate text." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "LegalNoticeCaption" - - SpecialValue = @{ - Type = "Placeholder" - Value = "LegalNoticeTitle" - } - } - @{ - Id = "WN16-MS-000050" - Task = "Caching of logon credentials must be limited." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Name = "CachedLogonsCount" - Value = "4" - SpecialValue = @{ - Type = "Range" - Value = "4 or less" - } - } - @{ - Id = "WN16-SO-000190" - Task = "The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" - Name = "RequireSecuritySignature" - Value = 1 - } - @{ - Id = "WN16-SO-000200" - Task = "The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" - Name = "EnableSecuritySignature" - Value = 1 - } - @{ - Id = "WN16-SO-000210" - Task = "Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" - Name = "EnablePlainTextPassword" - Value = 0 - } - @{ - Id = "WN16-SO-000220" - Task = "The amount of idle time required before suspending a session must be configured to 15 minutes or less." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "autodisconnect" - Value = 15 - SpecialValue = @{ - Type = "Range" - Value = "15 minutes or less" # Exclude 0 - } - } - @{ - Id = "WN16-SO-000230" - Task = "The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "RequireSecuritySignature" - Value = 1 - } - @{ - Id = "WN16-SO-000240" - Task = "The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "EnableSecuritySignature" - Value = 1 - } - @{ - Id = "WN16-SO-000260" - Task = "Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "RestrictAnonymousSAM" - Value = 1 - } - @{ - Id = "WN16-SO-000270" - Task = "Anonymous enumeration of shares must not be allowed." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "RestrictAnonymous" - Value = 1 - } - @{ - Id = "WN16-SO-000280" - Task = "Windows Server 2016 must be configured to prevent the storage of passwords and credentials." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "DisableDomainCreds" - Value = 1 - } - @{ - Id = "WN16-SO-000290" - Task = "Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "EveryoneIncludesAnonymous" - Value = 0 - } - @{ - Id = "WN16-SO-000300" - Task = "Anonymous access to Named Pipes and Shares must be restricted." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" - Name = "RestrictNullSessAccess" - Value = 1 - } - @{ - Id = "WN16-MS-000310" - Task = "Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." - Role = "MemberServer","StandaloneServer" - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" - Name = "RestrictRemoteSAM" - Value = "O:BAG:BAD:(A;;RC;;;BA)" - } - @{ - Id = "WN16-SO-000320" - Task = "Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" - Name = "UseMachineId" - Value = 1 - } - @{ - Id = "WN16-SO-000330" - Task = "NTLM must be prevented from falling back to a Null session." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" - Name = "allownullsessionfallback" - Value = 0 - } - @{ - Id = "WN16-SO-000340" - Task = "PKU2U authentication using online identities must be prevented." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u" - Name = "AllowOnlineID" - Value = 0 - } - @{ - Id = "WN16-SO-000350" - Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" - Name = "SupportedEncryptionTypes" - Value = 2147483640 - } - @{ - Id = "WN16-SO-000360" - Task = "Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "NoLMHash" - Value = 1 - } - @{ - Id = "WN16-SO-000380" - Task = "The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" - Name = "LmCompatibilityLevel" - Value = 5 - } - @{ - Id = "WN16-SO-000390" - Task = "Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LDAP" - Name = "LDAPClientIntegrity" - Value = 1 - } - @{ - Id = "WN16-SO-000400" - Task = "Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" - Name = "NTLMMinClientSec" - Value = 537395200 - } - @{ - Id = "WN16-SO-000410" - Task = "Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" - Name = "NTLMMinServerSec" - Value = 537395200 - } - @{ - Id = "WN16-SO-000420" - Task = "Users must be required to enter a password to access private keys stored on the computer." - - Path = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography" - Name = "ForceKeyProtection" - Value = 2 - } - @{ - Id = "WN16-SO-000430" - Task = "Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" - Name = "Enabled" - Value = 1 - } - @{ - Id = "WN16-SO-000440" - Task = "Windows Server 2016 must be configured to require case insensitivity for non-Windows subsystems." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" - Name = "ObCaseInsensitive" - Value = 1 - } - @{ - Id = "WN16-SO-000450" - Task = "The default permissions of global system objects must be strengthened." - - Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" - Name = "ProtectionMode" - Value = 1 - } - @{ - Id = "WN16-SO-000460" - Task = "User Account Control approval mode for the built-in Administrator must be enabled." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "FilterAdministratorToken" - Value = 1 - } - @{ - Id = "WN16-SO-000470" - Task = "UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "EnableUIADesktopToggle" - Value = 0 - } - @{ - Id = "WN16-SO-000480" - Task = "User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "ConsentPromptBehaviorAdmin" - Value = 2 - } - @{ - Id = "WN16-SO-000490" - Task = "User Account Control must automatically deny standard user requests for elevation." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "ConsentPromptBehaviorUser" - Value = 0 - } - @{ - Id = "WN16-SO-000500" - Task = "User Account Control must be configured to detect application installations and prompt for elevation." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "EnableInstallerDetection" - Value = 1 - } - @{ - Id = "WN16-SO-000510" - Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "EnableSecureUIAPaths" - Value = 1 - } - @{ - Id = "WN16-SO-000520" - Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "EnableLUA" - Value = 1 - } - @{ - Id = "WN16-SO-000530" - Task = "User Account Control must virtualize file and registry write failures to per-user locations." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - Name = "EnableVirtualization" - Value = 1 - } - @{ - Id = "WN16-UC-000010" - Task = "A screen saver must be enabled on the system." - - Path = "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop" - Name = "ScreenSaveActive" - Value = "1" - } - @{ - Id = "WN16-UC-000020" - Task = "The screen saver must be password protected." - - Path = "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop" - Name = "ScreenSaverIsSecure" - Value = "1" - } - @{ - Id = "WN16-UC-000030" - Task = "Zone information must be preserved when saving attachments." - - Path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" - Name = "SaveZoneInformation" - Value = 2 - } - @{ - Id = "WN16-SO-000180" - Task = "The Smart Card removal option must be configured to Force Logoff or Lock Workstation." - - Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Name = "scremoveoption" - Value = "1" - } - - - - - ) - UserRights = @( - @{ - Id = "WN16-UR-000010" - Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." - - Policy = "SeTrustedCredManAccessPrivilege" - Identity = @() - } - @{ - Id = "WN16-DC-000340" - Task = "The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." - Role = "PrimaryDomainController" - - Policy = "SeNetworkLogonRight" - Identity = "Administrators", "NT AUTHORITY\Authenticated Users" #, "Enterprise Domain Controllers" - } - @{ - Id = "WN16-MS-000340" - Task = "The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers." - Role = "MemberServer", "StandaloneServer" - - Policy = "SeNetworkLogonRight" - Identity = "Administrators", "NT AUTHORITY\Authenticated Users" - } - @{ - Id = "WN16-UR-000030" - Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts." - - Policy = "SeTcbPrivilege" - Identity = @() - } - @{ - Id = "WN16-DC-000350" - Task = "The Add workstations to domain user right must only be assigned to the Administrators group." - Role = "PrimaryDomainController" - - Policy = "SeMachineAccountPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000050" - Task = "The Allow log on locally user right must only be assigned to the Administrators group." - - Policy = "SeInteractiveLogonRight" - Identity = "Administrators" - } - @{ - Id = "WN16-DC-000360" - Task = "The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group." - Role = "PrimaryDomainController" - - Policy = "SeRemoteInteractiveLogonRight" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000070" - Task = "The Back up files and directories user right must only be assigned to the Administrators group." - - Policy = "SeBackupPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000080" - Task = "The Create a pagefile user right must only be assigned to the Administrators group." - - Policy = "SeCreatePagefilePrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000090" - Task = "The Create a token object user right must not be assigned to any groups or accounts." - - Policy = "SeCreateTokenPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000100" - Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." - - Policy = "SeCreateGlobalPrivilege" - Identity = "Administrators", "Service", "Local Service", "Network Service" - } - @{ - Id = "WN16-UR-000110" - Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts." - - Policy = "SeCreatePermanentPrivilege" - Identity = @() - } - @{ - Id = "WN16-UR-000120" - Task = "The Create symbolic links user right must only be assigned to the Administrators group." - - Policy = "SeCreateSymbolicLinkPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000130" - Task = "The Debug programs user right must only be assigned to the Administrators group." - - Policy = "SeDebugPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-DC-000370" - Task = "The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems." - Role = "PrimaryDomainController" - - Policy = "SeDenyNetworkLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-MS-000370 MS" - Task = "The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems." - Role = "MemberServer" - - Policy = "SeDenyNetworkLogonRight" - # Old audit: "Enterprise Admins", "Domain Admins", "Guests" - # Old hardening: "Enterprise Admins", "Domain Admins", "Administrators", "Guests" - Identity = "Enterprise Admins", "Domain Admins", "Administrators", "Guests" - } - @{ - Id = "WN16-MS-000370 SS" - Task = "The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems." - Role = "StandaloneServer" - - Policy = "SeDenyNetworkLogonRight" - # Old audit: "Guests" - # Old hardening: "Administrators", "Guests" - # Why are Administrators here? - Identity = "Guests" - } - @{ - Id = "WN16-DC-000380" - Task = "The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." - Role = "PrimaryDomainController" - - Policy = "SeDenyBatchLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-MS-000380 MS" - Task = "The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." - Role = "MemberServer" - - Policy = "SeDenyBatchLogonRight" - Identity = "Enterprise Admins", "Domain Admins", "Guests" - } - @{ - Id = "WN16-MS-000380 SS" - Task = "The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." - Role = "StandaloneServer" - - Policy = "SeDenyBatchLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-DC-000390" - Task = "The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." - Role = "PrimaryDomainController" - - Policy = "SeDenyServiceLogonRight" - Identity = @() - } - @{ - Id = "WN16-MS-000390 MS" - Task = "The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right." - Role = "MemberServer" - - Policy = "SeDenyServiceLogonRight" - Identity = "Enterprise Admins", "Domain Admins" - } - @{ - Id = "WN16-MS-000390 SS" - Task = "The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right." - Role = "StandaloneServer" - - Policy = "SeDenyServiceLogonRight" - # Old audit: @() - # Old hardening: "Enterprise Admins" - Identity = @() - } - @{ - Id = "WN16-DC-000400" - Task = "The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." - Role = "PrimaryDomainController" - - Policy = "SeDenyInteractiveLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-MS-000400 MS" - Task = "The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." - Role = "MemberServer" - - Policy = "SeDenyInteractiveLogonRight" - Identity = "Enterprise Admins", "Domain Admins", "Guests" - } - @{ - Id = "WN16-MS-000400 SS" - Task = "The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems." - Role = "StandaloneServer" - - Policy = "SeDenyInteractiveLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-DC-000410" - Task = "The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." - Role = "PrimaryDomainController" - - Policy = "SeDenyRemoteInteractiveLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-MS-000410 MS" - Task = "The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems." - Role = "MemberServer" - - Policy = "SeDenyRemoteInteractiveLogonRight" - # Disa Recommendation add local account - Identity = "Enterprise Admins", "Domain Admins", "Guests" - } - @{ - Id = "WN16-MS-000410 SS" - Task = "The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems." - Role = "StandaloneServer" - - Policy = "SeDenyRemoteInteractiveLogonRight" - Identity = "Guests" - } - @{ - Id = "WN16-DC-000420" - Task = "The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." - Role = "PrimaryDomainController" - - Policy = "SeEnableDelegationPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-MS-000420" - Task = "The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers." - Role = "MemberServer", "StandaloneServer" - - Policy = "SeEnableDelegationPrivilege" - Identity = @() - } - @{ - Id = "WN16-UR-000200" - Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group." - - Policy = "SeRemoteShutdownPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000210" - Task = "The Generate security audits user right must only be assigned to Local Service and Network Service." - - Policy = "SeAuditPrivilege" - Identity = "Local Service", "Network Service" - } - @{ - Id = "WN16-UR-000220" - Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." - - Policy = "SeImpersonatePrivilege" - Identity = "Administrators", "Service", "Local Service", "Network Service" - } - @{ - Id = "WN16-UR-000230" - Task = "The Increase scheduling priority user right must only be assigned to the Administrators group." - - Policy = "SeIncreaseBasePriorityPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000240" - Task = "The Load and unload device drivers user right must only be assigned to the Administrators group." - - Policy = "SeLoadDriverPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000250" - Task = "The Lock pages in memory user right must not be assigned to any groups or accounts." - - Policy = "SeLockMemoryPrivilege" - Identity = @() - } - @{ - Id = "WN16-UR-000260" - Task = "The Manage auditing and security log user right must only be assigned to the Administrators group." - - Policy = "SeSecurityPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000270" - Task = "The Modify firmware environment values user right must only be assigned to the Administrators group." - - Policy = "SeSystemEnvironmentPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000280" - Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group." - - # Old audit: checks SeSystemEnvironmentPrivilege - Policy = "SeManageVolumePrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000290" - Task = "The Profile single process user right must only be assigned to the Administrators group." - - Policy = "SeProfileSingleProcessPrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000300" - Task = "The Restore files and directories user right must only be assigned to the Administrators group." - - Policy = "SeRestorePrivilege" - Identity = "Administrators" - } - @{ - Id = "WN16-UR-000310" - Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group." - - Policy = "SeTakeOwnershipPrivilege" - Identity = "Administrators" - } - ) - AccountPolicies = @( - @{ - Id = "WN16-AC-000010" - Task = "Windows 2016 account lockout duration must be configured to 15 minutes or greater." - - Policy = "LockoutDuration" - Value = 15 - SpecialValue = @{ - Type = "Range" - Value = "15 minutes or greater" - } - } - @{ - Id = "WN16-AC-000020" - Task = "The number of allowed bad logon attempts must be configured to three or less." - - Policy = "LockoutBadCount" - Value = 3 - SpecialValue = @{ - Type = "Range" - # Old audit: 0 not excluded - Value = "3 or less, but not 0" - } - } - @{ - Id = "WN16-AC-000030" - Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes or greater." - - Policy = "ResetLockoutCount" - Value = 15 - SpecialValue = @{ - Type = "Range" - Value = "15 minutes or greater" - } - } - @{ - Id = "WN16-AC-000040" - Task = "The password history must be configured to 24 passwords remembered." - - Policy = "PasswordHistorySize" - Value = 24 - SpecialValue = @{ - Type = "Range" - # Old audit: only 24 is allowed - Value = "24 or greater" - } - } - @{ - Id = "WN16-AC-000050" - Task = "The maximum password age must be configured to 60 days or less." - - Policy = "MaximumPasswordAge" - Value = 60 - SpecialValue = @{ - Type = "Range" - Value = "60 days or less" - } - } - @{ - Id = "WN16-AC-000060" - Task = "The minimum password age must be configured to at least one day." - - Policy = "MinimumPasswordAge" - Value = 1 - SpecialValue = @{ - Type = "Range" - Value = "1 day or greater" - } - } - @{ - Id = "WN16-AC-000070" - Task = "The minimum password length must be configured to 14 characters." - - Policy = "MinimumPasswordLength" - Value = 14 - SpecialValue = @{ - Type = "Range" - Value = "14 characters or greater" - } - } - @{ - Id = "WN16-AC-000080" - Task = "The built-in Windows password complexity policy must be enabled." - - Policy = "PasswordComplexity" - Value = 1 - } - @{ - Id = "WN16-AC-000090" - Task = "Reversible password encryption must be disabled." - - Policy = "ClearTextPassword" - Value = 0 - } - @{ - Id = "WN16-SO-000250" - Task = "Anonymous SID/Name translation must not be allowed." - - Policy = "LSAAnonymousNameLookup" - Value = 0 - } - # ... - @{ - Id = "WN16-SO-000370" - Task = "Windows Server 2016 must be configured to force users to log off when their allowed logon hours expire." - - Policy = "ForceLogoffWhenHourExpire" - Value = 1 - } - ) - WindowsFeatures = @( - @{ - Id = "WN16-00-000350" - Task = "The Fax Server role must not be installed." - - Feature = "Fax" - } - @{ - Id = "WN16-00-000360" - Task = "The Microsoft FTP service must not be installed unless required." - - Feature = "Web-Ftp-Service" - } - @{ - Id = "WN16-00-000370" - Task = "The Peer Name Resolution Protocol must not be installed." - - Feature = "PNRP" - } - @{ - Id = "WN16-00-000380" - Task = "Simple TCP/IP Services must not be installed." - - Feature = "Simple-TCPIP" - } - @{ - Id = "WN16-00-000390" - Task = "The Telnet Client must not be installed." - - Feature = "Telnet-Client" - } - @{ - Id = "WN16-00-000400" - Task = "The TFTP Client must not be installed." - - Feature = "TFTP-Client" - } - @{ - Id = "WN16-00-000410" - Task = "The Server Message Block (SMB) v1 protocol must be uninstalled." - - Feature = "FS-SMB1" - } - @{ - Id = "WN16-00-000420" - Task = "Windows PowerShell 2.0 must not be installed." - - Feature = "PowerShell-v2" - } - ) - FileSystemPermissions = @( - @{ - Id = "WN16-AU-000030" - Task = "Permissions for the Application event log must prevent access by non-privileged accounts." - - Target = "%SystemRoot%\System32\winevt\Logs\Application.evtx" - PrincipalRights = @{ - "NT SERVICE\EventLog" = "FullControl" - "NT AUTHORITY\SYSTEM" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - } - } - @{ - Id = "WN16-AU-000040" - Task = "Permissions for the Security event log must prevent access by non-privileged accounts." - - Target = "%SystemRoot%\System32\winevt\Logs\Security.evtx" - PrincipalRights = @{ - "NT SERVICE\EventLog" = "FullControl" - "NT AUTHORITY\SYSTEM" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - } - } - @{ - Id = "WN16-AU-000050" - Task = "Permissions for the System event log must prevent access by non-privileged accounts." - - Target = "%SystemRoot%\System32\winevt\Logs\System.evtx" - PrincipalRights = @{ - "NT SERVICE\EventLog" = "FullControl" - "NT AUTHORITY\SYSTEM" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - } - } - @{ - Id = "WN16-AU-000060" - Task = "Event Viewer must be protected from unauthorized modification and deletion." - - Target = "%SystemRoot%\System32\Eventvwr.exe" - PrincipalRights = @{ - "NT SERVICE\TrustedInstaller" = "FullControl" - "NT Authority\System" = "ReadAndExecute, Synchronize" - "BUILTIN\Administrators" = "ReadAndExecute, Synchronize" - "BUILTIN\Users" = "ReadAndExecute, Synchronize" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - } - } - @{ - Id = "WN16-00-000160" - Task = "Permissions for the system drive root directory (usually C:\) must conform to minimum requirements." - - Target = "%SystemDrive%\" - PrincipalRights = @{ - "NT Authority\System" = "FullControl" - "BUILTIN\Administrators" = "FullControl" - "BUILTIN\Users" = "ReadAndExecute, Synchronize", "CreateFiles", "CreateDirectories" - "CREATOR OWNER" = "FullControl" - } - } - @{ - Id = "WN16-00-000170 A" - Task = "Permissions for program file directories must conform to minimum requirements." - - Target = "%ProgramFiles%\" - PrincipalRights = @{ - "NT SERVICE\TrustedInstaller" = "FullControl" - "NT Authority\System" = "FullControl", "Modify, Synchronize" - "BUILTIN\Administrators" = "FullControl", "Modify, Synchronize" - "BUILTIN\Users" = "ReadAndExecute, Synchronize" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - } - } - @{ - Id = "WN16-00-000170 B" - Task = "Permissions for program file directories must conform to minimum requirements." - - Target = "%ProgramFiles(x86)%\" - PrincipalRights = @{ - "NT SERVICE\TrustedInstaller" = "FullControl" - "NT Authority\System" = "FullControl", "Modify, Synchronize" - "BUILTIN\Administrators" = "FullControl", "Modify, Synchronize" - "BUILTIN\Users" = "ReadAndExecute, Synchronize" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - } - } - @{ - Id = "WN16-00-000180" - Task = "Permissions for the Windows installation directory must conform to minimum requirements." - - Target = "%windir%\" - PrincipalRights = @{ - "NT SERVICE\TrustedInstaller" = "FullControl" - "NT Authority\System" = "FullControl", "Modify, Synchronize" - "BUILTIN\Administrators" = "FullControl", "Modify, Synchronize" - "BUILTIN\Users" = "ReadAndExecute, Synchronize" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" = "ReadAndExecute, Synchronize" - } - } - ) - RegistryPermissions = @( - @{ - Id = "WN16-00-000190 A" - Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - Target = "HKLM:\SECURITY" - PrincipalRights = @{ - "NT Authority\System" = "FullControl" - "BUILTIN\Administrators" = "ReadPermissions, ChangePermissions" - } - } - # Special user "S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681" - @{ - Id = "WN16-00-000190 B" - Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - Target = "HKLM:\SOFTWARE" - PrincipalRights = @{ - "BUILTIN\Users" = "ReadKey" - "BUILTIN\Administrators" = "FullControl" - "NT Authority\System" = "FullControl" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" - } - } - @{ - Id = "WN16-00-000190 C" - Task = "Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - Target = "HKLM:\SYSTEM" - PrincipalRights = @{ - "BUILTIN\Users" = "ReadKey" - "BUILTIN\Administrators" = "FullControl" - "NT Authority\System" = "FullControl" - "CREATOR OWNER" = "FullControl" - "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" = "ReadKey" - } - } - ) -} diff --git a/WindowsServer2016Audit/README.md b/WindowsServer2016Audit/README.md deleted file mode 100644 index e830f596..00000000 --- a/WindowsServer2016Audit/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Windows Server 2016 Audit - -based on -* _Windows Server 2016 Security Technical Implementation Guide V1R6 2018-08-26_ -* and _CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 2018-10-31_ - -## Overview - -The `WindowsServer2016Audit`-Module benchmarks your Windows Server 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Windows Server 2016** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](https://github.com/fbprogmbh/Audit-Test-Automation/tree/master/ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -## Loading the Windows Server 2016 Audit module - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\WindowsServer2016Audit -Verbose -``` -3. Generate a report with `Get-WindowsServer2016HtmlReport` For example: -```PowerShell -Get-WindowsServer2016HtmlReport -Path "MyReport.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. - -## Remarks - -The script runs a while - do not be impatient. diff --git a/WindowsServer2016Audit/Sample/report.dark.html b/WindowsServer2016Audit/Sample/report.dark.html deleted file mode 100644 index 4b5ef50d..00000000 --- a/WindowsServer2016Audit/Sample/report.dark.html +++ /dev/null @@ -1 +0,0 @@ -Windows Server 2016 Audit Report [09/13/2018 08:29:36]
FB-Pro GmbH

Windows Server 2016 Audit Report

Generated by the WindowsServer2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27, CIS.

This report was generated at 09/13/2018 08:29:36 on WIN-ALJMCIFOBRC.

HostnameWIN-ALJMCIFOBRC
Build Number14393
Free disk space(GB) 13.0
Operating SystemMicrosoft Windows Server 2016 Standard Evaluation
Free physical memory (GB)0.784

Navigation

Click the link(s) below for quick access to a report section.

DISA Settings^

Id Task Message Audit
SV-87875r2_rule Passwords for the built-in Administrator account must be changed at least every 60 days. Password for Administrator last set on 07/05/2018 05:48:58 False
SV-87889r1_rule Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. Not in domain True
SV-87891r1_rule Systems must be maintained at a supported servicing level. Compliant True
SV-87899r1_rule Local volumes must use a format that supports NTFS attributes. Compliant True
SV-87901r1_rule Permissions for the system drive root directory (usually C:\) must conform to minimum requirements. Not compliant False
SV-87903r1_rule Permissions for program file directorie C:\Program Files must conform to minimum requirements. Compliant True
SV-87903r1_rule Permissions for program file directorie C:\Program Files (x86) must conform to minimum requirements. Compliant True
SV-87905r1_rule Permissions for the Windows installation directory C:\Windows must conform to minimum requirements. Compliant True
SV-87907r1_rule Default permissions for the HKEY_LOCAL_MACHINE\Security registry hive must be maintained. Compliant True
SV-87907r1_rule_2 Default permissions for the HKEY_LOCAL_MACHINE\Software registry hive must be maintained. Compliant True
SV-87907r1_rule_3 Default permissions for the HKEY_LOCAL_MACHINE\System registry hive must be maintained. Not compliant False
SV-87909r1_rule Non-administrative accounts or groups must only have print permissions on printer shares. Compliant True
SV-87911r1_rule Outdated or unused accounts must be removed from the system or disabled. Not compliant False
SV-87913r2_rule Accounts must require passwords. Compliant True
SV-87915r2_rule Passwords must be configured to expire. Not compliant False
SV-87919r1_rule Non-system-created file shares on a system must limit access to groups that require it. Shares not as expected Warning
SV-87925r1_rule Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Bitlocker not enabled False
SV-87931r1_rule A host-based firewall must be installed and enabled on the system. Compliant True
SV-87939r1_rule The Fax Server role must not be installed. Compliant True
SV-87941r1_rule The Microsoft FTP service must not be installed unless required. Compliant True
SV-87943r1_rule The Peer Name Resolution Protocol must not be installed. Compliant True
SV-87945r1_rule Simple TCP/IP Services must not be installed. Compliant True
SV-87947r1_rule The Telnet Client must not be installed. Compliant True
SV-87949r1_rule The TFTP Client must not be installed. Compliant True
SV-87951r1_rule The Server Message Block (SMB) v1 protocol must be uninstalled. Not compliant False
SV-87953r1_rule Windows PowerShell 2.0 must not be installed. Compliant True
SV-87961r2_rule Windows 2016 account lockout duration must be configured to 15 minutes or greater. Not compliant False
SV-87963r1_rule The number of allowed bad logon attempts must be configured to three or less. Compliant True
SV-87965r1_rule The period of time before the bad logon counter is reset must be configured to 15 minutes or greater. Not compliant False
SV-87967r1_rule The password history must be configured to 24 passwords remembered. Not compliant False
SV-87969r1_rule The maximum password age must be configured to 60 days or less. Compliant True
SV-87971r1_rule The minimum password age must be configured to at least one day. Not compliant False
SV-87973r1_rule The minimum password length must be configured to 14 characters. Not compliant False
SV-88057r1_rule Permissions for the Application event log must prevent access by non-privileged accounts. Compliant True
SV-88059r1_rule Permissions for the Security event log must prevent access by non-privileged accounts. Compliant True
SV-88061r1_rule Permissions for the System event log must prevent access by non-privileged accounts. Compliant True
SV-88139r1_rule Administrator accounts must not be enumerated during elevation. Not compliant False
SV-88145r1_rule The display of slide shows on the lock screen must be disabled. Registry path to NoLockScreenSlideshow does not exist. False
SV-88147r1_rule Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Not compliant False
SV-88149r1_rule WDigest Authentication must be disabled. Not compliant False
SV-88151r1_rule Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. Not compliant False
SV-88153r1_rule Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. Not compliant False
SV-88155r1_rule Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. Not compliant False
SV-88157r1_rule Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers. Not compliant False
SV-88159r1_rule Insecure logons to an SMB server must be disabled. Not compliant False
SV-88161r1_rule Hardened UNC paths must be defined to require mutual authentication and integrity for \\*\NETLOGON shares. Error False
SV-88161r1_rule_2 Hardened UNC paths must be defined to require mutual authentication and integrity for \\*\SYSVOL shares. Error False
SV-88163r1_rule Command line data must be included in process creation events. Not compliant False
SV-88165r1_rule Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (EnableVirtualizationBasedSecurity). Error False
SV-88165r1_rule_2 Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (RequirePlatformSecurityFeatures). Error False
SV-88165r1_rule_3 Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (VirtualizationBasedSecurityStatus Running). Not compliant False
SV-88167r1_rule Credential Guard must be running on domain-joined systems. Error False
SV-88167r1_rule_2 Credential Guard must be running on domain-joined systems (SecurityServicesRunning). Not compliant False
SV-88169r1_rule Virtualization-based protection of code integrity must be enabled on domain-joined systems. Error False
SV-88169r1_rule_2 Virtualization-based protection of code integrity must be enabled on domain-joined systems (SecurityServicesRunning). Not compliant False
SV-88173r1_rule Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Not compliant False
SV-88177r1_rule Group Policy objects must be reprocessed even if they have not changed. Not compliant False
SV-88179r1_rule Downloading print driver packages over HTTP must be prevented. Not compliant False
SV-88181r1_rule Printing over HTTP must be prevented. Not compliant False
SV-88185r1_rule The network selection user interface (UI) must not be displayed on the logon screen. Not compliant False
SV-88187r1_rule Local users on domain-joined computers must not be enumerated. Not compliant False
SV-88189r1_rule Windows Server 2016 must be configured to block untrusted fonts from loading. Not compliant False
SV-88197r1_rule Users must be prompted to authenticate when the system wakes from sleep (on battery). Not compliant False
SV-88201r1_rule Users must be prompted to authenticate when the system wakes from sleep (plugged in). Not compliant False
SV-88203r1_rule Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server. Not compliant False
SV-88207r1_rule The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Not compliant False
SV-88209r1_rule AutoPlay must be turned off for non-volume devices. Not compliant False
SV-88211r1_rule The default AutoRun behavior must be configured to prevent AutoRun commands. Not compliant False
SV-88213r1_rule AutoPlay must be disabled for all drives. Not compliant False
SV-88215r1_rule Windows Telemetry must be configured to Security or Basic. Not compliant False
SV-88217r1_rule The Application event log size must be configured to 32768 KB or greater. Not compliant False
SV-88219r1_rule The Security event log size must be configured to 196608 KB or greater. Not compliant False
SV-88221r1_rule The System event log size must be configured to 32768 KB or greater. Not compliant False
SV-88223r1_rule Windows SmartScreen must be enabled. Not compliant False
SV-88225r1_rule Explorer Data Execution Prevention must be enabled. Not compliant False
SV-88227r1_rule Turning off File Explorer heap termination on corruption must be disabled. Not compliant False
SV-88229r1_rule File Explorer shell protocol must run in protected mode. Not compliant False
SV-88231r1_rule Passwords must not be saved in the Remote Desktop Client. Not compliant False
SV-88233r1_rule Local drives must be prevented from sharing with Remote Desktop Session Hosts. Not compliant False
SV-88235r1_rule Remote Desktop Services must always prompt a client for passwords upon connection. Not compliant False
SV-88237r1_rule The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications. Not compliant False
SV-88239r1_rule Remote Desktop Services must be configured with the client connection encryption set to High Level. Not compliant False
SV-88241r1_rule Attachments must be prevented from being downloaded from RSS feeds. Not compliant False
SV-88243r1_rule Basic authentication for RSS feeds over HTTP must not be used. Not compliant False
SV-88245r1_rule Indexing of encrypted files must be turned off. Not compliant False
SV-88247r1_rule Users must be prevented from changing installation options. Not compliant False
SV-88249r1_rule The Windows Installer Always install with elevated privileges option must be disabled. Not compliant False
SV-88251r1_rule Users must be notified if a web-based program attempts to install software. Not compliant False
SV-88253r1_rule Automatically signing in the last interactive user after a system-initiated restart must be disabled. Compliant True
SV-88255r1_rule PowerShell script block logging must be enabled. Not compliant False
SV-88257r1_rule The Windows Remote Management (WinRM) client must not use Basic authentication. Not compliant False
SV-88259r1_rule The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Not compliant False
SV-88261r1_rule The Windows Remote Management (WinRM) client must not use Digest authentication. Not compliant False
SV-88263r1_rule The Windows Remote Management (WinRM) service must not use Basic authentication. Not compliant False
SV-88265r1_rule The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Not compliant False
SV-88267r1_rule The Windows Remote Management (WinRM) service must not store RunAs credentials. Not compliant False
SV-88285r1_rule Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
SV-88287r1_rule The built-in administrator account must be renamed. Built-in Administrator account is not renamed. False
SV-88289r1_rule The built-in guest account must be renamed. Not compliant False
SV-88291r1_rule Audit policy using subcategories must be enabled. Not compliant False
SV-88293r1_rule Domain controllers must require LDAP access signing. Not compliant False
SV-88295r1_rule Domain controllers must be configured to allow reset of machine account passwords. Not compliant False
SV-88297r1_rule The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. Compliant True
SV-88299r1_rule The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. Compliant True
SV-88301r1_rule The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. Compliant True
SV-88303r1_rule The computer account password must not be prevented from being reset. Compliant True
SV-88305r1_rule The maximum age for machine account passwords must be configured to 30 days or less. Compliant True
SV-88307r1_rule Windows Server 2016 must be configured to require a strong session key. Compliant True
SV-88309r1_rule The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. Compliant True
SV-88311r1_rule The required legal notice must be configured to display before console logon. Not compliant False
SV-88313r1_rule The Windows dialog box title for the legal banner must be configured with the appropriate text. Not compliant False
SV-88315r1_rule Caching of logon credentials must be limited. Compliant True
SV-88317r1_rule The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. Not compliant False
SV-88319r1_rule The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. Compliant True
SV-88321r1_rule Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. Compliant True
SV-88323r1_rule The amount of idle time required before suspending a session must be configured to 15 minutes or less. Compliant True
SV-88325r1_rule The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. Not compliant False
SV-88327r1_rule The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. Not compliant False
SV-88329r1_rule Anonymous SID/Name translation must not be allowed. Compliant True
SV-88331r1_rule Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed. Compliant True
SV-88333r1_rule Anonymous enumeration of shares must not be allowed. Not compliant False
SV-88335r1_rule Windows Server 2016 must be configured to prevent the storage of passwords and credentials. Not compliant False
SV-88337r1_rule Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group. Compliant True
SV-88339r1_rule Anonymous access to Named Pipes and Shares must be restricted. Compliant True
SV-88341r1_rule Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. Not compliant False
SV-88343r1_rule Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. Not compliant False
SV-88345r1_rule NTLM must be prevented from falling back to a Null session. Not compliant False
SV-88347r1_rule PKU2U authentication using online identities must be prevented. Not compliant False
SV-88349r1_rule Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Not compliant False
SV-88351r1_rule Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
SV-88353r1_rule Windows Server 2016 must be configured to force users to log off when their allowed logon hours expire. Not compliant False
SV-88355r1_rule The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM. Not compliant False
SV-88357r1_rule Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing. Compliant True
SV-88359r1_rule Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. Not compliant False
SV-88361r1_rule Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. Not compliant False
SV-88363r1_rule Users must be required to enter a password to access private keys stored on the computer. Not compliant False
SV-88365r1_rule Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Not compliant False
SV-88367r1_rule Windows Server 2016 must be configured to require case insensitivity for non-Windows subsystems. Compliant True
SV-88369r1_rule The default permissions of global system objects must be strengthened. Compliant True
SV-88371r1_rule User Account Control approval mode for the built-in Administrator must be enabled. Not compliant False
SV-88373r1_rule UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. Compliant True
SV-88375r1_rule User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. Not compliant False
SV-88377r1_rule User Account Control must automatically deny standard user requests for elevation. Not compliant False
SV-88379r1_rule User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
SV-88381r1_rule User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
SV-88383r1_rule User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
SV-88385r1_rule User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
SV-88387r1_rule A screen saver must be enabled on the system. Not compliant False
SV-88389r1_rule The screen saver must be password protected. Not compliant False
SV-88391r1_rule Zone information must be preserved when saving attachments. Not compliant False
SV-88393r1_rule The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Not compliant False
SV-88397r1_rule The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers. Not compliant False
SV-88399r1_rule The Act as part of the operating system user right must not be assigned to any groups or accounts. Not compliant False
SV-88403r1_rule The Allow log on locally user right must only be assigned to the Administrators group. Not compliant False
SV-88407r1_rule The Back up files and directories user right must only be assigned to the Administrators group. Not compliant False
SV-88409r1_rule The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
SV-88411r1_rule The Create a token object user right must not be assigned to any groups or accounts. Not compliant False
SV-88413r1_rule The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
SV-88415r1_rule The Create permanent shared objects user right must not be assigned to any groups or accounts. Not compliant False
SV-88417r1_rule The Create symbolic links user right must only be assigned to the Administrators group. Compliant True
SV-88419r1_rule The Debug programs user right must only be assigned to the Administrators group. Compliant True
SV-88423r1_rule The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems. Not compliant False
SV-88427r1_rule The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. Not compliant False
SV-88431r1_rule The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right. Not compliant False
SV-88435r1_rule The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems. Not compliant False
SV-88439r1_rule The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems. Not compliant False
SV-88443r1_rule The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers. Not compliant False
SV-88445r1_rule The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
SV-88447r1_rule The Generate security audits user right must only be assigned to Local Service and Network Service. Not compliant False
SV-88449r1_rule The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Not compliant False
SV-88451r1_rule The Increase scheduling priority user right must only be assigned to the Administrators group. Compliant True
SV-88453r1_rule The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
SV-88455r1_rule The Lock pages in memory user right must not be assigned to any groups or accounts. Not compliant False
SV-88457r1_rule The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
SV-88459r1_rule The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
SV-88461r1_rule The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
SV-88463r1_rule The Profile single process user right must only be assigned to the Administrators group. Compliant True
SV-88465r1_rule The Restore files and directories user right must only be assigned to the Administrators group. Not compliant False
SV-88467r1_rule The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True
SV-88473r1_rule The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Not compliant False
SV-88475r1_rule The built-in guest account must be disabled. Compliant True

CIS advanced audit policy settings^

Id Task Message Audit
CIS 17.1.1 Credential Validation is set to Success and Failure Success False
CIS 17.2.1 Application Group Management is set to Success and Failure No Auditing False
CIS 17.2.2 Computer Account Management is set to Success and Failure Success False
CIS 17.2.4 Other Account Management Events is set to Success and Failure No Auditing False
CIS 17.2.5 Security Group Management is set to Success and Failure Success False
CIS 17.2.5 User Account Management is set to Success and Failure Success False
CIS 17.3.1 Plug and Play Events is set to Success No Auditing False
CIS 17.3.2 Process Creation is set to Success No Auditing False
CIS 17.5.1 Account Lockout is set to Success and Failure Success False
CIS 17.5.2 Group Membership is set to Success No Auditing False
CIS 17.5.3 Logoff is set to Success Compliant True
CIS 17.5.4 Logon is set to Success and Failure Compliant True
CIS 17.5.5 Other Logon/Logoff Events is set to Success and Failure No Auditing False
CIS 17.5.6 Special Logon is set to Success Compliant True
CIS 17.6.1 Removable Storage is set to Success and Failure No Auditing False
CIS 17.7.1 Audit Policy Change is set to Success and Failure Success False
CIS 17.7.2 Authentication Policy Change is set to Success Compliant True
CIS 17.7.3 Authorization Policy Change is set to Success No Auditing False
CIS 17.8.1 Sensitive Privilege Use is set to Success and Failure No Auditing False
CIS 17.9.1 IPsec Driver is set to Success and Failure No Auditing False
CIS 17.9.2 Other System Events is set to Success and Failure Compliant True
CIS 17.9.3 Security State Change is set to Success Compliant True
CIS 17.9.4 Security System Extension is set to Success and Failure No Auditing False
CIS 17.9.5 System Integrity is set to Success and Failure Compliant True
diff --git a/WindowsServer2016Audit/Sample/report.html b/WindowsServer2016Audit/Sample/report.html deleted file mode 100644 index 48ff8014..00000000 --- a/WindowsServer2016Audit/Sample/report.html +++ /dev/null @@ -1 +0,0 @@ -Windows Server 2016 Audit Report [09/13/2018 08:26:00]
FB-Pro GmbH

Windows Server 2016 Audit Report

Generated by the WindowsServer2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27, CIS.

This report was generated at 09/13/2018 08:26:00 on WIN-ALJMCIFOBRC.

HostnameWIN-ALJMCIFOBRC
Build Number14393
Free disk space(GB) 13.0
Operating SystemMicrosoft Windows Server 2016 Standard Evaluation
Free physical memory (GB)1.376

Navigation

Click the link(s) below for quick access to a report section.

DISA Settings^

Id Task Message Audit
SV-87875r2_rule Passwords for the built-in Administrator account must be changed at least every 60 days. Password for Administrator last set on 07/05/2018 05:48:58 False
SV-87889r1_rule Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. Not in domain True
SV-87891r1_rule Systems must be maintained at a supported servicing level. Compliant True
SV-87899r1_rule Local volumes must use a format that supports NTFS attributes. Compliant True
SV-87901r1_rule Permissions for the system drive root directory (usually C:\) must conform to minimum requirements. Not compliant False
SV-87903r1_rule Permissions for program file directorie C:\Program Files must conform to minimum requirements. Compliant True
SV-87903r1_rule Permissions for program file directorie C:\Program Files (x86) must conform to minimum requirements. Compliant True
SV-87905r1_rule Permissions for the Windows installation directory C:\Windows must conform to minimum requirements. Compliant True
SV-87907r1_rule Default permissions for the HKEY_LOCAL_MACHINE\Security registry hive must be maintained. Compliant True
SV-87907r1_rule_2 Default permissions for the HKEY_LOCAL_MACHINE\Software registry hive must be maintained. Compliant True
SV-87907r1_rule_3 Default permissions for the HKEY_LOCAL_MACHINE\System registry hive must be maintained. Not compliant False
SV-87909r1_rule Non-administrative accounts or groups must only have print permissions on printer shares. Compliant True
SV-87911r1_rule Outdated or unused accounts must be removed from the system or disabled. Not compliant False
SV-87913r2_rule Accounts must require passwords. Compliant True
SV-87915r2_rule Passwords must be configured to expire. Not compliant False
SV-87919r1_rule Non-system-created file shares on a system must limit access to groups that require it. Shares not as expected Warning
SV-87925r1_rule Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Bitlocker not enabled False
SV-87931r1_rule A host-based firewall must be installed and enabled on the system. Compliant True
SV-87939r1_rule The Fax Server role must not be installed. Compliant True
SV-87941r1_rule The Microsoft FTP service must not be installed unless required. Compliant True
SV-87943r1_rule The Peer Name Resolution Protocol must not be installed. Compliant True
SV-87945r1_rule Simple TCP/IP Services must not be installed. Compliant True
SV-87947r1_rule The Telnet Client must not be installed. Compliant True
SV-87949r1_rule The TFTP Client must not be installed. Compliant True
SV-87951r1_rule The Server Message Block (SMB) v1 protocol must be uninstalled. Not compliant False
SV-87953r1_rule Windows PowerShell 2.0 must not be installed. Compliant True
SV-87961r2_rule Windows 2016 account lockout duration must be configured to 15 minutes or greater. Not compliant False
SV-87963r1_rule The number of allowed bad logon attempts must be configured to three or less. Compliant True
SV-87965r1_rule The period of time before the bad logon counter is reset must be configured to 15 minutes or greater. Not compliant False
SV-87967r1_rule The password history must be configured to 24 passwords remembered. Not compliant False
SV-87969r1_rule The maximum password age must be configured to 60 days or less. Compliant True
SV-87971r1_rule The minimum password age must be configured to at least one day. Not compliant False
SV-87973r1_rule The minimum password length must be configured to 14 characters. Not compliant False
SV-88057r1_rule Permissions for the Application event log must prevent access by non-privileged accounts. Compliant True
SV-88059r1_rule Permissions for the Security event log must prevent access by non-privileged accounts. Compliant True
SV-88061r1_rule Permissions for the System event log must prevent access by non-privileged accounts. Compliant True
SV-88139r1_rule Administrator accounts must not be enumerated during elevation. Not compliant False
SV-88145r1_rule The display of slide shows on the lock screen must be disabled. Registry path to NoLockScreenSlideshow does not exist. False
SV-88147r1_rule Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Not compliant False
SV-88149r1_rule WDigest Authentication must be disabled. Not compliant False
SV-88151r1_rule Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. Not compliant False
SV-88153r1_rule Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. Not compliant False
SV-88155r1_rule Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. Not compliant False
SV-88157r1_rule Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers. Not compliant False
SV-88159r1_rule Insecure logons to an SMB server must be disabled. Not compliant False
SV-88161r1_rule Hardened UNC paths must be defined to require mutual authentication and integrity for \\*\NETLOGON shares. Error False
SV-88161r1_rule_2 Hardened UNC paths must be defined to require mutual authentication and integrity for \\*\SYSVOL shares. Error False
SV-88163r1_rule Command line data must be included in process creation events. Not compliant False
SV-88165r1_rule Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (EnableVirtualizationBasedSecurity). Error False
SV-88165r1_rule_2 Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (RequirePlatformSecurityFeatures). Error False
SV-88165r1_rule_3 Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (VirtualizationBasedSecurityStatus Running). Not compliant False
SV-88167r1_rule Credential Guard must be running on domain-joined systems. Error False
SV-88167r1_rule_2 Credential Guard must be running on domain-joined systems (SecurityServicesRunning). Not compliant False
SV-88169r1_rule Virtualization-based protection of code integrity must be enabled on domain-joined systems. Error False
SV-88169r1_rule_2 Virtualization-based protection of code integrity must be enabled on domain-joined systems (SecurityServicesRunning). Not compliant False
SV-88173r1_rule Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Not compliant False
SV-88177r1_rule Group Policy objects must be reprocessed even if they have not changed. Not compliant False
SV-88179r1_rule Downloading print driver packages over HTTP must be prevented. Not compliant False
SV-88181r1_rule Printing over HTTP must be prevented. Not compliant False
SV-88185r1_rule The network selection user interface (UI) must not be displayed on the logon screen. Not compliant False
SV-88187r1_rule Local users on domain-joined computers must not be enumerated. Not compliant False
SV-88189r1_rule Windows Server 2016 must be configured to block untrusted fonts from loading. Not compliant False
SV-88197r1_rule Users must be prompted to authenticate when the system wakes from sleep (on battery). Not compliant False
SV-88201r1_rule Users must be prompted to authenticate when the system wakes from sleep (plugged in). Not compliant False
SV-88203r1_rule Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server. Not compliant False
SV-88207r1_rule The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Not compliant False
SV-88209r1_rule AutoPlay must be turned off for non-volume devices. Not compliant False
SV-88211r1_rule The default AutoRun behavior must be configured to prevent AutoRun commands. Not compliant False
SV-88213r1_rule AutoPlay must be disabled for all drives. Not compliant False
SV-88215r1_rule Windows Telemetry must be configured to Security or Basic. Not compliant False
SV-88217r1_rule The Application event log size must be configured to 32768 KB or greater. Not compliant False
SV-88219r1_rule The Security event log size must be configured to 196608 KB or greater. Not compliant False
SV-88221r1_rule The System event log size must be configured to 32768 KB or greater. Not compliant False
SV-88223r1_rule Windows SmartScreen must be enabled. Not compliant False
SV-88225r1_rule Explorer Data Execution Prevention must be enabled. Not compliant False
SV-88227r1_rule Turning off File Explorer heap termination on corruption must be disabled. Not compliant False
SV-88229r1_rule File Explorer shell protocol must run in protected mode. Not compliant False
SV-88231r1_rule Passwords must not be saved in the Remote Desktop Client. Not compliant False
SV-88233r1_rule Local drives must be prevented from sharing with Remote Desktop Session Hosts. Not compliant False
SV-88235r1_rule Remote Desktop Services must always prompt a client for passwords upon connection. Not compliant False
SV-88237r1_rule The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications. Not compliant False
SV-88239r1_rule Remote Desktop Services must be configured with the client connection encryption set to High Level. Not compliant False
SV-88241r1_rule Attachments must be prevented from being downloaded from RSS feeds. Not compliant False
SV-88243r1_rule Basic authentication for RSS feeds over HTTP must not be used. Not compliant False
SV-88245r1_rule Indexing of encrypted files must be turned off. Not compliant False
SV-88247r1_rule Users must be prevented from changing installation options. Not compliant False
SV-88249r1_rule The Windows Installer Always install with elevated privileges option must be disabled. Not compliant False
SV-88251r1_rule Users must be notified if a web-based program attempts to install software. Not compliant False
SV-88253r1_rule Automatically signing in the last interactive user after a system-initiated restart must be disabled. Compliant True
SV-88255r1_rule PowerShell script block logging must be enabled. Not compliant False
SV-88257r1_rule The Windows Remote Management (WinRM) client must not use Basic authentication. Not compliant False
SV-88259r1_rule The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Not compliant False
SV-88261r1_rule The Windows Remote Management (WinRM) client must not use Digest authentication. Not compliant False
SV-88263r1_rule The Windows Remote Management (WinRM) service must not use Basic authentication. Not compliant False
SV-88265r1_rule The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Not compliant False
SV-88267r1_rule The Windows Remote Management (WinRM) service must not store RunAs credentials. Not compliant False
SV-88285r1_rule Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
SV-88287r1_rule The built-in administrator account must be renamed. Built-in Administrator account is not renamed. False
SV-88289r1_rule The built-in guest account must be renamed. Not compliant False
SV-88291r1_rule Audit policy using subcategories must be enabled. Not compliant False
SV-88293r1_rule Domain controllers must require LDAP access signing. Not compliant False
SV-88295r1_rule Domain controllers must be configured to allow reset of machine account passwords. Not compliant False
SV-88297r1_rule The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. Compliant True
SV-88299r1_rule The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. Compliant True
SV-88301r1_rule The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. Compliant True
SV-88303r1_rule The computer account password must not be prevented from being reset. Compliant True
SV-88305r1_rule The maximum age for machine account passwords must be configured to 30 days or less. Compliant True
SV-88307r1_rule Windows Server 2016 must be configured to require a strong session key. Compliant True
SV-88309r1_rule The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. Compliant True
SV-88311r1_rule The required legal notice must be configured to display before console logon. Not compliant False
SV-88313r1_rule The Windows dialog box title for the legal banner must be configured with the appropriate text. Not compliant False
SV-88315r1_rule Caching of logon credentials must be limited. Compliant True
SV-88317r1_rule The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. Not compliant False
SV-88319r1_rule The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. Compliant True
SV-88321r1_rule Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. Compliant True
SV-88323r1_rule The amount of idle time required before suspending a session must be configured to 15 minutes or less. Compliant True
SV-88325r1_rule The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. Not compliant False
SV-88327r1_rule The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. Not compliant False
SV-88329r1_rule Anonymous SID/Name translation must not be allowed. Compliant True
SV-88331r1_rule Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed. Compliant True
SV-88333r1_rule Anonymous enumeration of shares must not be allowed. Not compliant False
SV-88335r1_rule Windows Server 2016 must be configured to prevent the storage of passwords and credentials. Not compliant False
SV-88337r1_rule Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group. Compliant True
SV-88339r1_rule Anonymous access to Named Pipes and Shares must be restricted. Compliant True
SV-88341r1_rule Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. Not compliant False
SV-88343r1_rule Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. Not compliant False
SV-88345r1_rule NTLM must be prevented from falling back to a Null session. Not compliant False
SV-88347r1_rule PKU2U authentication using online identities must be prevented. Not compliant False
SV-88349r1_rule Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Not compliant False
SV-88351r1_rule Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
SV-88353r1_rule Windows Server 2016 must be configured to force users to log off when their allowed logon hours expire. Not compliant False
SV-88355r1_rule The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM. Not compliant False
SV-88357r1_rule Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing. Compliant True
SV-88359r1_rule Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. Not compliant False
SV-88361r1_rule Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. Not compliant False
SV-88363r1_rule Users must be required to enter a password to access private keys stored on the computer. Not compliant False
SV-88365r1_rule Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Not compliant False
SV-88367r1_rule Windows Server 2016 must be configured to require case insensitivity for non-Windows subsystems. Compliant True
SV-88369r1_rule The default permissions of global system objects must be strengthened. Compliant True
SV-88371r1_rule User Account Control approval mode for the built-in Administrator must be enabled. Not compliant False
SV-88373r1_rule UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. Compliant True
SV-88375r1_rule User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. Not compliant False
SV-88377r1_rule User Account Control must automatically deny standard user requests for elevation. Not compliant False
SV-88379r1_rule User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
SV-88381r1_rule User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
SV-88383r1_rule User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
SV-88385r1_rule User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
SV-88387r1_rule A screen saver must be enabled on the system. Not compliant False
SV-88389r1_rule The screen saver must be password protected. Not compliant False
SV-88391r1_rule Zone information must be preserved when saving attachments. Not compliant False
SV-88393r1_rule The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Not compliant False
SV-88397r1_rule The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers. Not compliant False
SV-88399r1_rule The Act as part of the operating system user right must not be assigned to any groups or accounts. Not compliant False
SV-88403r1_rule The Allow log on locally user right must only be assigned to the Administrators group. Not compliant False
SV-88407r1_rule The Back up files and directories user right must only be assigned to the Administrators group. Not compliant False
SV-88409r1_rule The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
SV-88411r1_rule The Create a token object user right must not be assigned to any groups or accounts. Not compliant False
SV-88413r1_rule The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
SV-88415r1_rule The Create permanent shared objects user right must not be assigned to any groups or accounts. Not compliant False
SV-88417r1_rule The Create symbolic links user right must only be assigned to the Administrators group. Compliant True
SV-88419r1_rule The Debug programs user right must only be assigned to the Administrators group. Compliant True
SV-88423r1_rule The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems. Not compliant False
SV-88427r1_rule The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. Not compliant False
SV-88431r1_rule The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right. Not compliant False
SV-88435r1_rule The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems. Not compliant False
SV-88439r1_rule The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems. Not compliant False
SV-88443r1_rule The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers. Not compliant False
SV-88445r1_rule The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
SV-88447r1_rule The Generate security audits user right must only be assigned to Local Service and Network Service. Not compliant False
SV-88449r1_rule The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Not compliant False
SV-88451r1_rule The Increase scheduling priority user right must only be assigned to the Administrators group. Compliant True
SV-88453r1_rule The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
SV-88455r1_rule The Lock pages in memory user right must not be assigned to any groups or accounts. Not compliant False
SV-88457r1_rule The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
SV-88459r1_rule The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
SV-88461r1_rule The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
SV-88463r1_rule The Profile single process user right must only be assigned to the Administrators group. Compliant True
SV-88465r1_rule The Restore files and directories user right must only be assigned to the Administrators group. Not compliant False
SV-88467r1_rule The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True
SV-88473r1_rule The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Not compliant False
SV-88475r1_rule The built-in guest account must be disabled. Compliant True

CIS advanced audit policy settings^

Id Task Message Audit
CIS 17.1.1 Credential Validation is set to Success and Failure Success False
CIS 17.2.1 Application Group Management is set to Success and Failure No Auditing False
CIS 17.2.2 Computer Account Management is set to Success and Failure Success False
CIS 17.2.4 Other Account Management Events is set to Success and Failure No Auditing False
CIS 17.2.5 Security Group Management is set to Success and Failure Success False
CIS 17.2.5 User Account Management is set to Success and Failure Success False
CIS 17.3.1 Plug and Play Events is set to Success No Auditing False
CIS 17.3.2 Process Creation is set to Success No Auditing False
CIS 17.5.1 Account Lockout is set to Success and Failure Success False
CIS 17.5.2 Group Membership is set to Success No Auditing False
CIS 17.5.3 Logoff is set to Success Compliant True
CIS 17.5.4 Logon is set to Success and Failure Compliant True
CIS 17.5.5 Other Logon/Logoff Events is set to Success and Failure No Auditing False
CIS 17.5.6 Special Logon is set to Success Compliant True
CIS 17.6.1 Removable Storage is set to Success and Failure No Auditing False
CIS 17.7.1 Audit Policy Change is set to Success and Failure Success False
CIS 17.7.2 Authentication Policy Change is set to Success Compliant True
CIS 17.7.3 Authorization Policy Change is set to Success No Auditing False
CIS 17.8.1 Sensitive Privilege Use is set to Success and Failure No Auditing False
CIS 17.9.1 IPsec Driver is set to Success and Failure No Auditing False
CIS 17.9.2 Other System Events is set to Success and Failure Compliant True
CIS 17.9.3 Security State Change is set to Success Compliant True
CIS 17.9.4 Security System Extension is set to Success and Failure No Auditing False
CIS 17.9.5 System Integrity is set to Success and Failure Compliant True
diff --git a/WindowsServer2016Audit/Settings.psd1 b/WindowsServer2016Audit/Settings.psd1 deleted file mode 100644 index 52fbf8f4..00000000 --- a/WindowsServer2016Audit/Settings.psd1 +++ /dev/null @@ -1,52 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mbam@example.com" - MailFrom = "MBAM Error Reporting" - Encoding = "UTF8" - User = "mbamtap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" - - LegalNoticeTitle = "MyCompanyName" - LegalNoticeText = "Be sure to comply with the guidelines for administrators." -} \ No newline at end of file diff --git a/WindowsServer2016Audit/WindowsServer2016Audit.psd1 b/WindowsServer2016Audit/WindowsServer2016Audit.psd1 deleted file mode 100644 index 24cdbe81..00000000 --- a/WindowsServer2016Audit/WindowsServer2016Audit.psd1 +++ /dev/null @@ -1,150 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'WindowsServer2016Audit.psm1' - -# Version number of this module. -ModuleVersion = '2.0' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = 'cc4efe2d-e54c-4350-82a4-aaadbe6bf800' - -# Author of this module -Author = 'Benedikt Böhme', 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Windows Server 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -RequiredAssemblies = @( - 'Microsoft.PowerShell.Commands.Management' -) - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'WindowsServer2016', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/WindowsServer2016Audit/WindowsServer2016Audit.psm1 b/WindowsServer2016Audit/WindowsServer2016Audit.psm1 deleted file mode 100644 index 7c9def3a..00000000 --- a/WindowsServer2016Audit/WindowsServer2016Audit.psm1 +++ /dev/null @@ -1,1910 +0,0 @@ -#Requires -RunAsAdministrator - -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests -$DisaRequirements = Import-LocalizedData -FileName "DisaRequirements.psd1" -$CisBenchmarks = Import-LocalizedData -FileName "CisBenchmarks.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject - ) - - process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } -} - -function ConvertTo-NTAccountUser { - Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [string] $Name - ) - - process { - if ($_ -match "^(S-[0-9-]{3,})") { - $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name - } - else { - $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) - } - return $sidAccount.Translate([System.Security.Principal.NTAccount]) - } -} - -function Get-SecurityPolicy { - # get a temporary file to save and process the secedit settings - Write-Verbose -Message "Get temporary file" - $securityPolicyPath = Join-Path -Path $env:TEMP -ChildPath 'SecurityPolicy.inf' - Write-Verbose -Message "Tempory file: $tmp" - - # export the secedit settings to this temporary file - Write-Verbose "Export current Local Security Policy" - secedit.exe /export /cfg $securityPolicyPath | Out-Null - - $config = @{} - switch -regex -file $securityPolicyPath { - "^\[(.+)\]" { # Section - $section = $matches[1] - $config[$section] = @{} - } - "(.+?)\s*=(.*)" { # Key - $name = $matches[1] - $value = $matches[2] -replace "\*" - $config[$section][$name] = $value - } - } - - $privilegeRights = @{} - foreach ($key in $config["Privilege Rights"].Keys) { - # Make all accounts SIDs - $accounts = $($config["Privilege Rights"][$key] -split ",").Trim() | ConvertTo-NTAccountUser - $privilegeRights[$key] = $accounts - } - $config["Privilege Rights"] = $privilegeRights - - return $config -} - -# Get domain role -# 0 {"Standalone Workstation"} -# 1 {"Member Workstation"} -# 2 {"Standalone Server"} -# 3 {"Member Server"} -# 4 {"Backup Domain Controller"} -# 5 {"Primary Domain Controller"} -function Get-DomainRole { - [DomainRole](Get-CimInstance -Class Win32_ComputerSystem).DomainRole -} - -function Get-PrimaryDomainSID { - <# - .SYNOPSIS - Obtains SID of the primary AD domain for the local computer - #> - - [CmdletBinding()] - Param() - # Note: this script obtains SID of the primary AD domain for the local computer. It works both - # if the local computer is a domain member (DomainRole = 1 or DomainRole = 3) - # or if the local computer is a domain controller (DomainRole = 4 or DomainRole = 4). - # The code works even under local user account and does not require calling user - # to be domain account. - - [string]$domainSID = $null - - [int]$domainRole = Get-DomainRole - - if (($domainRole -ne [DomainRole]::StandaloneWorkstation) -and ($domainRole -ne [DomainRole]::StandaloneServer)) { - - [string] $domain = Get-CimInstance Win32_ComputerSystem | Select-Object -Expand Domain - [string] $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value - $domainSID = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) - } - - return $domainSID -} - -function Get-LocalAdminNames { - # The Administrators Group has the SID S-1-5-32-544 - return (Get-LocalGroupMember -SID "S-1-5-32-544").Name ` - | Where-Object { $_.StartsWith($env:COMPUTERNAME) } ` - | ForEach-Object { $_.Substring($env:COMPUTERNAME.Length + 1) } -} - -function Get-AuditPolicySubcategoryGUID { - Param( - [Parameter(Mandatory = $true)] - [string] $Subcategory - ) - switch ($Subcategory) { - # Information availabe with: auditpol /list /subcategory:* /v - # System - 'Security State Change' { "{0CCE9210-69AE-11D9-BED3-505054503030}" } - 'Security System Extension' { "{0CCE9211-69AE-11D9-BED3-505054503030}" } - 'System Integrity' { "{0CCE9212-69AE-11D9-BED3-505054503030}" } - 'IPsec Driver' { "{0CCE9213-69AE-11D9-BED3-505054503030}" } - 'Other System Events' { "{0CCE9214-69AE-11D9-BED3-505054503030}" } - # Logon/Logoff - 'Logon' { "{0CCE9215-69AE-11D9-BED3-505054503030}" } - 'Logoff' { "{0CCE9216-69AE-11D9-BED3-505054503030}" } - 'Account Lockout' { "{0CCE9217-69AE-11D9-BED3-505054503030}" } - 'IPsec Main Mode' { "{0CCE9218-69AE-11D9-BED3-505054503030}" } - 'IPsec Quick Mode' { "{0CCE9219-69AE-11D9-BED3-505054503030}" } - 'IPsec Extended Mode' { "{0CCE921A-69AE-11D9-BED3-505054503030}" } - 'Special Logon' { "{0CCE921B-69AE-11D9-BED3-505054503030}" } - 'Other Logon/Logoff Events' { "{0CCE921C-69AE-11D9-BED3-505054503030}" } - 'Network Policy Server' { "{0CCE9243-69AE-11D9-BED3-505054503030}" } - 'User / Device Claims' { "{0CCE9247-69AE-11D9-BED3-505054503030}" } - 'Group Membership' { "{0CCE9249-69AE-11D9-BED3-505054503030}" } - # Object Access - 'File System' { "{0CCE921D-69AE-11D9-BED3-505054503030}" } - 'Registry' { "{0CCE921E-69AE-11D9-BED3-505054503030}" } - 'Kernel Object' { "{0CCE921F-69AE-11D9-BED3-505054503030}" } - 'SAM' { "{0CCE9220-69AE-11D9-BED3-505054503030}" } - 'Certification Services' { "{0CCE9221-69AE-11D9-BED3-505054503030}" } - 'Application Generated' { "{0CCE9222-69AE-11D9-BED3-505054503030}" } - 'Handle Manipulation' { "{0CCE9223-69AE-11D9-BED3-505054503030}" } - 'File Share' { "{0CCE9224-69AE-11D9-BED3-505054503030}" } - 'Filtering Platform Packet Drop' { "{0CCE9225-69AE-11D9-BED3-505054503030}" } - 'Filtering Platform Connection' { "{0CCE9226-69AE-11D9-BED3-505054503030}" } - 'Other Object Access Events' { "{0CCE9227-69AE-11D9-BED3-505054503030}" } - 'Detailed File Share' { "{0CCE9244-69AE-11D9-BED3-505054503030}" } - 'Removable Storage' { "{0CCE9245-69AE-11D9-BED3-505054503030}" } - 'Central Policy Staging' { "{0CCE9246-69AE-11D9-BED3-505054503030}" } - # Privelege Use - 'Sensitive Privilege Use' { "{0CCE9228-69AE-11D9-BED3-505054503030}" } - 'Non Sensitive Privilege Use' { "{0CCE9229-69AE-11D9-BED3-505054503030}" } - 'Other Privilege Use Events' { "{0CCE922A-69AE-11D9-BED3-505054503030}" } - # Detailed Tracking - 'Process Creation' { "{0CCE922B-69AE-11D9-BED3-505054503030}" } - 'Process Termination' { "{0CCE922C-69AE-11D9-BED3-505054503030}" } - 'DPAPI Activity' { "{0CCE922D-69AE-11D9-BED3-505054503030}" } - 'RPC Events' { "{0CCE922E-69AE-11D9-BED3-505054503030}" } - 'Plug and Play Events' { "{0CCE9248-69AE-11D9-BED3-505054503030}" } - 'Token Right Adjusted Events' { "{0CCE924A-69AE-11D9-BED3-505054503030}" } - # Policy Change - 'Audit Policy Change' { "{0CCE922F-69AE-11D9-BED3-505054503030}" } - 'Authentication Policy Change' { "{0CCE9230-69AE-11D9-BED3-505054503030}" } - 'Authorization Policy Change' { "{0CCE9231-69AE-11D9-BED3-505054503030}" } - 'MPSSVC Rule-Level Policy Change' { "{0CCE9232-69AE-11D9-BED3-505054503030}" } - 'Filtering Platform Policy Change' { "{0CCE9233-69AE-11D9-BED3-505054503030}" } - 'Other Policy Change Events' { "{0CCE9234-69AE-11D9-BED3-505054503030}" } - # Account Management - 'User Account Management' { "{0CCE9235-69AE-11D9-BED3-505054503030}" } - 'Computer Account Management' { "{0CCE9236-69AE-11D9-BED3-505054503030}" } - 'Security Group Management' { "{0CCE9237-69AE-11D9-BED3-505054503030}" } - 'Distribution Group Management' { "{0CCE9238-69AE-11D9-BED3-505054503030}" } - 'Application Group Management' { "{0CCE9239-69AE-11D9-BED3-505054503030}" } - 'Other Account Management Events' { "{0CCE923A-69AE-11D9-BED3-505054503030}" } - # DS Access - 'Directory Service Access' { "{0CCE923B-69AE-11D9-BED3-505054503030}" } - 'Directory Service Changes' { "{0CCE923C-69AE-11D9-BED3-505054503030}" } - 'Directory Service Replication' { "{0CCE923D-69AE-11D9-BED3-505054503030}" } - 'Detailed Directory Service Replication' { "{0CCE923E-69AE-11D9-BED3-505054503030}" } - # Account Logon - 'Credential Validation' { "{0CCE923F-69AE-11D9-BED3-505054503030}" } - 'Kerberos Service Ticket Operations' { "{0CCE9240-69AE-11D9-BED3-505054503030}" } - 'Other Account Logon Events' { "{0CCE9241-69AE-11D9-BED3-505054503030}" } - 'Kerberos Authentication Service' { "{0CCE9242-69AE-11D9-BED3-505054503030}" } - - Default { "" } - } -} - -function Convert-ToAuditInfo { - param ( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [Psobject] $auditObject - ) - - process { - return [AuditInfo]@{ - Id = $auditObject.Name - Task = $auditObject.Task - Message = $auditObject.Status - Audit = $auditObject.Passed - } - } -} -#endregion - -#region Audit functions -function Get-RoleAudit { - param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [string[]] $Role = @("MemberServer","StandaloneServer") - ) - - process { - $domainRoles = $Role | ForEach-Object { [DomainRole]$_ } - if ((Get-DomainRole) -notin $domainRoles) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Not applicable. This audit applies to " + ($Role -join " and ") + "." - Audit = [AuditStatus]::None - } - } - return $null - } -} - -function Get-RegistryAudit { - param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [AllowEmptyCollection()] - [string[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false - ) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value found." - Audit = [AuditStatus]::False - } - } - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from expected value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not found." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-UserRightPolicyAudit { - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'SeNetworkLogonRight', - 'SeTcbPrivilege', - 'SeBackupPrivilege', - 'SeChangeNotifyPrivilege', - 'SeSystemtimePrivilege', - 'SeCreatePagefilePrivilege', - 'SeDebugPrivilege', - 'SeRemoteShutdownPrivilege', - 'SeAuditPrivilege', - 'SeIncreaseQuotaPrivilege', - 'SeLoadDriverPrivilege', - 'SeBatchLogonRight', - 'SeServiceLogonRight', - 'SeInteractiveLogonRight', - 'SeSecurityPrivilege', - 'SeSystemEnvironmentPrivilege', - 'SeProfileSingleProcessPrivilege', - 'SeSystemProfilePrivilege', - 'SeAssignPrimaryTokenPrivilege', - 'SeTakeOwnershipPrivilege', - 'SeDenyNetworkLogonRight', - 'SeDenyBatchLogonRight', - 'SeDenyServiceLogonRight', - 'SeDenyInteractiveLogonRight', - 'SeUndockPrivilege', - 'SeManageVolumePrivilege', - 'SeRemoteInteractiveLogonRight', - 'SeDenyRemoteInteractiveLogonRight', - 'SeImpersonatePrivilege', - 'SeCreateGlobalPrivilege', - 'SeIncreaseWorkingSetPrivilege', - 'SeTimeZonePrivilege', - 'SeCreateSymbolicLinkPrivilege', - 'SeDelegateSessionUserImpersonatePrivilege', - 'SeCreateTokenPrivilege', - 'SeCreatePermanentPrivilege', - 'SeIncreaseBasePriorityPrivilege', - 'SeLockMemoryPrivilege', - 'SeRestorePrivilege', - 'SeTrustedCredManAccessPrivilege', - 'SeEnableDelegationPrivilege', - 'SeRelabelPrivilege', - 'SeShutdownPrivilege' - )] - [string] $Policy, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [AllowEmptyCollection()] - [string[]] $Identity - ) - - process { - $securityPolicy = Get-SecurityPolicy -Verbose:$VerbosePreference - $currentUserRights = $securityPolicy["Privilege Rights"][$Policy] - - $identityAccounts = $Identity | ConvertTo-NTAccountUser - - $usersWithTooManyRights = $currentUserRights | Where-Object { $_ -notin $identityAccounts } - $usersWithoutRights = $identityAccounts | Where-Object { $_ -notin $currentUserRights } - - if ($usersWithTooManyRights.Count -gt 0) { - $message = "The following users have too many rights: " + ($usersWithTooManyRights -join ", ") - Write-Verbose -Message $message - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $message - Audit = [AuditStatus]::False - } - } - - if ($usersWithoutRights.Count -gt 0) { - $message = "The following users have don't have the rights: " + ($usersWithoutRights -join ", ") - Write-Verbose -Message $message - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $message - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-AccountPolicyAudit { - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'MinimumPasswordAge', - 'MaximumPasswordAge', - 'MinimumPasswordLength', - 'PasswordComplexity', - 'PasswordHistorySize', - 'LockoutBadCount', - 'ResetLockoutCount', - 'LockoutDuration', - 'RequireLogonToChangePassword', - 'ForceLogoffWhenHourExpire', - 'NewAdministratorName', - 'NewGuestName', - 'ClearTextPassword', - 'LSAAnonymousNameLookup', - 'EnableAdminAccount', - 'EnableGuestAccount' - )] - [string] $Policy, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [object] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate - ) - - process { - $securityPolicy = Get-SecurityPolicy -Verbose:$VerbosePreference - $currentAccountPolicy = $securityPolicy["System Access"][$Policy] - - if ($null -eq $currentAccountPolicy) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Currently not set." - Audit = [AuditStatus]::False - } - } - - # Sanitize input - $currentAccountPolicy = $currentAccountPolicy.Trim() - - if (-not (& $Predicate $currentAccountPolicy)) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Currently set to: $currentAccountPolicy. Differs from expected value: $ExpectedValue" - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-AuditPolicyAudit { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'Security System Extension', - 'System Integrity', - 'IPsec Driver', - 'Other System Events', - 'Security State Change', - 'Logon', - 'Logoff', - 'Account Lockout', - 'IPsec Main Mode', - 'IPsec Quick Mode', - 'IPsec Extended Mode', - 'Special Logon', - 'Other Logon/Logoff Events', - 'Network Policy Server', - 'User / Device Claims', - 'Group Membership', - 'File System', - 'Registry', - 'Kernel Object', - 'SAM', - 'Certification Services', - 'Application Generated', - 'Handle Manipulation', - 'File Share', - 'Filtering Platform Packet Drop', - 'Filtering Platform Connection', - 'Other Object Access Events', - 'Detailed File Share', - 'Removable Storage', - 'Central Policy Staging', - 'Non Sensitive Privilege Use', - 'Other Privilege Use Events', - 'Sensitive Privilege Use', - 'Process Creation', - 'Process Termination', - 'DPAPI Activity', - 'RPC Events', - 'Plug and Play Events', - 'Token Right Adjusted Events', - 'Audit Policy Change', - 'Authentication Policy Change', - 'Authorization Policy Change', - 'MPSSVC Rule-Level Policy Change', - 'Filtering Platform Policy Change', - 'Other Policy Change Events', - 'Computer Account Management', - 'Security Group Management', - 'Distribution Group Management', - 'Application Group Management', - 'Other Account Management Events', - 'User Account Management', - 'Directory Service Access', - 'Directory Service Changes', - 'Directory Service Replication', - 'Detailed Directory Service Replication', - 'Kerberos Service Ticket Operations', - 'Other Account Logon Events', - 'Kerberos Authentication Service', - 'Credential Validation')] - [string] $Subcategory, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ValidateSet( - 'Success', - 'Failure', - 'Success and Failure', - 'No Auditing')] - [string] $AuditFlag - ) - - process { - # Get the audit policy for the subcategory $subcategory - $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory $Subcategory - $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" - - # auditpol does not throw exceptions, so test the results and throw if needed - if ($LASTEXITCODE -ne 0) { - $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" - throw [System.ArgumentException] $errorString - Write-Error -Message $errorString - } - - if ($null -eq $auditPolicyString) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Couldn't get setting. Auditpol returned nothing." - Audit = [AuditStatus]::False - } - } - - # Remove empty lines and headers - $line = $auditPolicyString ` - | Where-Object { $_ } ` - | Select-Object -Skip 3 - - if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure)$") { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Couldn't get setting." - Audit = [AuditStatus]::False - } - } - - $setting = $Matches[0] - - if ($setting -ne $AuditFlag -and -not (($line -eq "Success and Failure" -and ($AuditFlag -in "Success", "Failure")))) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Set to: $setting" - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-WindowsFeatureAudit { - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Feature - ) - - process { - $installState = (Get-WindowsFeature | Where-Object Name -eq $Feature).InstallState - - if ($installState -eq "Installed") { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "The feature is installed." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -enum GARights { - GENERIC_READ = 0x80000000 - GENERIC_WRITE = 0x40000000 - GENERIC_EXECUTE = 0x20000000 - GENERIC_ALL = 0x10000000 -} - -# See https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-security-and-access-rights for more information -$GAToFSRMapping = @{ - [GARights]::GENERIC_READ = ` - [FileSystemRights]::ReadAttributes -bor ` - [FileSystemRights]::ReadData -bor ` - [FileSystemRights]::ReadExtendedAttributes -bor ` - [FileSystemRights]::ReadPermissions -bor ` - [FileSystemRights]::Synchronize - [GARights]::GENERIC_WRITE = ` - [FileSystemRights]::AppendData -bor ` - [FileSystemRights]::WriteAttributes -bor ` - [FileSystemRights]::WriteData -bor ` - [FileSystemRights]::WriteExtendedAttributes -bor ` - [FileSystemRights]::ReadPermissions -bor ` - [FileSystemRights]::Synchronize - [GARights]::GENERIC_EXECUTE = ` - [FileSystemRights]::ExecuteFile -bor ` - [FileSystemRights]::ReadPermissions -bor ` - [FileSystemRights]::ReadAttributes -bor ` - [FileSystemRights]::Synchronize - [GARights]::GENERIC_ALL = ` - [FileSystemRights]::FullControl -} - -function Convert-FileSystemRights { - param( - [Parameter(Mandatory = $true)] - [FileSystemRights] $OriginalRights - ) - - [FileSystemRights]$MappedRights = [FileSystemRights]::new() - - # map generic access right - foreach ($GAR in $GAToFSRMapping.Keys) { - if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { - $MappedRights = $MappedRights -bor $GAToFSRMapping[$GAR] - } - } - - # mask standard access rights and object-specific access rights - $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) - - return $MappedRights -} - -# Non official mappings -$GAToRRMaping = @{ - [GARights]::GENERIC_READ = ` - [RegistryRights]::ReadKey - [GARights]::GENERIC_WRITE = ` - [RegistryRights]::WriteKey - [GARights]::GENERIC_ALL = ` - [RegistryRights]::FullControl -} - -function Get-FileSystemPermissionsAudit { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Target, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [hashtable] $PrincipalRights - ) - - process { - if ($Target -match "(%(.+)%)") { - $varName = $Matches[2] - $replaceValue = (Get-Item -Path "Env:$varName").Value - $Target = $Target.Replace($Matches[1], $replaceValue) - } - - $acls = (Get-Acl $Target).Access - - Write-Verbose "File system permissions for target: $Target)" - - $prinicpalsWithTooManyRights = $acls | Where-Object { - $_.IdentityReference.Value -NotIn $PrincipalRights.Keys - } - $principalsWithWrongRights = $acls ` - | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` - | Where-Object { - # convert string to rights enum - $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [FileSystemRights]$_ } - $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights - $mappedRights -notin $referenceRights - } - - if (($prinicpalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { - $logOptions = @{ - Path = $Settings.LogFilePath - Name = $Settings.LogFileName - Level = "Error" - } - - $messages = @() - $messages += $prinicpalsWithTooManyRights | ForEach-Object { - $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights - "Unexpected '$($_.IdentityReference)' with access '$($mappedRights)'" - } - $messages += $principalsWithWrongRights | ForEach-Object { - $idKey = $_.IdentityReference.Value - $mappedRights = Convert-FileSystemRights -OriginalRights $_.FileSystemRights - "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" - }.GetNewClosure() - $messages | ForEach-Object { Write-LogFile @logOptions -Message "$($Id): $_" } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $messages -join "; " - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Convert-RegistryRights { - param( - [Parameter(Mandatory = $true)] - [RegistryRights] $OriginalRights - ) - - [RegistryRights]$MappedRights = [RegistryRights]::new() - - # map generic access right - foreach ($GAR in $GAToRRMaping.Keys) { - if (($OriginalRights.value__ -band $GAR.value__) -eq $GAR.value__) { - $MappedRights = $MappedRights -bor $GAToRRMaping[$GAR] - } - } - - # mask standard access rights and object-specific access rights - $MappedRights = $MappedRights -bor ($OriginalRights -band 0x00FFFFFF) - - return $MappedRights -} - -function Get-RegistryPermissionsAudit { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Target, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [hashtable] $PrincipalRights - ) - - process { - if ($Target -match "(%(.+)%)") { - $varName = $Matches[2] - $replaceValue = (Get-Item -Path "Env:$varName").Value - $Target = $Target.Replace($Matches[1], $replaceValue) - } - - $acls = (Get-Acl $Target).Access - - Write-Verbose "Registry permissions for target: $Target)" - - $prinicpalsWithTooManyRights = $acls | Where-Object { - $_.IdentityReference.Value -NotIn $PrincipalRights.Keys - } - $principalsWithWrongRights = $acls ` - | Where-Object { $_.IdentityReference.Value -in $PrincipalRights.Keys } ` - | Where-Object { - # convert string to rights enum - $referenceRights = $PrincipalRights[$_.IdentityReference.Value] | ForEach-Object { [RegistryRights]$_ } - $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights - $mappedRights -notin $referenceRights - } - - if (($prinicpalsWithTooManyRights.Count -gt 0) -or ($principalsWithWrongRights.Count -gt 0)) { - $logOptions = @{ - Path = $Settings.LogFilePath - Name = $Settings.LogFileName - Level = "Error" - } - - $messages = @() - $messages += $prinicpalsWithTooManyRights | ForEach-Object { - $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights - "Unexpected '$($_.IdentityReference)' with access '$($mappedRights)'" - } - $messages += $principalsWithWrongRights | ForEach-Object { - $idKey = $_.IdentityReference.Value - $mappedRights = Convert-RegistryRights -OriginalRights $_.RegistryRights - "Found '$($idKey)' with access '$($mappedRights)' instead of '$($PrincipalRights[$idKey])'" - }.GetNewClosure() - $messages | ForEach-Object { Write-LogFile @logOptions -Message "$($Id): $_" } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = $messages -join "; " - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -function Get-FirewallProfileAudit { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Profile, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Setting, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Value - ) - - process { - Write-Verbose -Message "Profile: $Profile, Setting: $Setting, Value: $Value" - - $firewallProfileArgs = @{ Name = $Profile } - # if ($Setting -like "AllowLocal*Rules") { - # $firewallProfileArgs.PolicyStore = "localhost" - # } - - $profileSettings = Get-NetFirewallProfile @firewallProfileArgs - $currentValue = $profileSettings | Select-Object -ExpandProperty $Setting - - if ($currentValue -ne $Value) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Profile setting '$Setting' is currently set to '$currentValue'. Expected value is '$Value'." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} - -#endregion - -#region Audit tests -<# - This section contains all audit tests. Each test will return a PSCustomObject with the following properties - - Name The name or ID of the test,something to uniquely identify it - Task Short description of the test or the - Status Compliant / Not comliant / error - Passed Is the test successful (true / false / warning - - If an error occured, the error message and/or additional informations are logged in the logfile defined through $Settings.LogFilePath and $Settings.LogFileName -#> - -#region DISA STIG Audit functions - -# Task: Passwords for the built-in Administrator account must be changed at least every 60 days. -function Test-Stig_WN16_00_000030 { - Param( - [System.Int32] $days = 60 - ) - - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000030") - $obj | Add-Member NoteProperty Task("Passwords for the built-in Administrator account must be changed at least every $days days.") - - $builtInAdmin = Get-localUser | Where-Object -Property sid -like "S-1-5-*-500" - - if ($builtInAdmin.PasswordLastSet -le (Get-Date).AddDays(-$days)) { - $message = "Password for $($BuiltInAdmin.Name) last set on $($BuiltInAdmin.PasswordLastSet)" - $obj | Add-Member NoteProperty Status($message) - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - else { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - return $obj -} - -# Task: Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. -function Test-Stig_WN16_00_000100 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000100") - $obj | Add-Member NoteProperty Task("Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.") - - # If machine is in a domain - if ((Get-CimInstance -Class Win32_ComputerSystem).PartOfDomain) { - try { - # Get TPM infos - $tpm = Get-Tpm - - if ( $tpm.TpmPresent -and $tpm.TpmReady ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("TPM is not present or ready for use.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - catch { - # Get-Tpm threw an exception, so we probably do not have a TPM chip - $obj | Add-Member NoteProperty Status("TPM missing") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - else { - # If the machine is not domain joined, this is not a finding - $obj | Add-Member NoteProperty Status("Not in domain") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - - return $obj -} - -# Task: Systems must be maintained at a supported servicing level. -function Test-Stig_WN16_00_000110 { - Param( - [System.Int32]$version = 14393 - ) - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000110") - $obj | Add-Member NoteProperty Task("Systems must be maintained at a supported servicing level.") - - $acutalVersion = ([System.Environment]::OSVersion.Version).Build - - if ( $acutalVersion -ge $version ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Version is $acutalVersion") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - - return $obj -} - -# Task: Local volumes must use a format that supports NTFS attributes. -function Test-Stig_WN16_00_000150 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000150") - $obj | Add-Member NoteProperty Task("Local volumes must use a format that supports NTFS attributes.") - - $volumes = Get-Volume ` - | Where-Object DriveType -eq Fixed ` - | Where-Object FileSystem -ne "NTFS" - - if ($volumes.Count -eq 0) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Found volume without NTFS formatting. " + ($volumes.UniqueId -join ', ')) - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - - return $obj -} - -# Task: Non-administrative accounts or groups must only have print permissions on printer shares. -function Test-Stig_WN16_00_000200 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000200") - $obj | Add-Member NoteProperty Task("Non-administrative accounts or groups must only have print permissions on printer shares.") - - $printers = Get-Printer - $sharedPrinter = @() - - foreach ( $printer in $printers ) { - if ( $printer.shared ) { - $sharedPrinter += $printer.name - } - } - - if ( $sharedPrinter ) { - $obj | Add-Member NoteProperty Status("Found shared printer(s)") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000200: Found shared printer(s) $sharedPrinter, please check printer security settings" -Level Error - } - else { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - - return $obj -} - -# Task: Outdated or unused accounts must be removed from the system or disabled. -function Test-Stig_WN16_00_000210 { - [CmdletBinding()] - Param( - [System.Int32]$days = 35 - ) - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000210") - $obj | Add-Member NoteProperty Task("Outdated or unused accounts must be removed from the system or disabled.") - - $accounts = ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where-Object { $_.SchemaClassName -eq 'user' } - - $compliant = $true - - foreach ($account in $accounts) { - - # if account is enabled - if ( ($account.Properties.UserFlags.Value -band 0x2) -ne 0x2 ) { - if ( $account.Properties.LastLogin.Value -lt (Get-Date).AddDays(-$days) ) { - $compliant = $false - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000210: Outdated or unused account $($account.Name) - no login within $days days" -Level Error - } - } - } - - if ( $compliant ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Found outdated or unused accounts.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - - return $obj -} - -# Task: Accounts must require passwords. -function Test-Stig_WN16_00_000220 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000220") - $obj | Add-Member NoteProperty Task("Accounts must require passwords.") - - $accounts = Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | Select-Object Name, PasswordRequired, Disabled - $passwordNotRequired = @() - - foreach ($account in $accounts) { - if (-not $account.Disabled) { - if ( -not $account.PasswordRequired) { - $passwordNotRequired += $account.name - } - } - } - - if ( $passwordNotRequired ) { - $obj | Add-Member NoteProperty Status("Found account without password.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - foreach ($entry in $passwordNotRequired) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000220: Found enabled account not requiring a password: $entry" -Level Error - } - } - else { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - - return $obj -} - -# Task: Passwords must be configured to expire. -function Test-Stig_WN16_00_000230 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000230") - $obj | Add-Member NoteProperty Task("Passwords must be configured to expire.") - - $accounts = Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | Select-Object Name, PasswordExpires, Disabled - $passwordNeverExpires = @() - - foreach ($account in $accounts) { - if (-not $account.Disabled) { - if ( -not $account.PasswordExpires) { - $passwordNeverExpires += $account.name - } - } - } - - if ( $passwordNeverExpires ) { - $obj | Add-Member NoteProperty Status("Found account with never expiring passwords.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - foreach ($entry in $passwordNeverExpires) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000220: Found enabled account not requiring a password: $entry" -Level Error - } - } - else { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - - return $obj -} - -# Task: Non-system-created file shares on a system must limit access to groups that require it. -function Test-Stig_WN16_00_000250 { - [CmdletBinding()] - Param( - [String[]]$reference = @("ADMIN$", "C$", "IPC$") - ) - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000250") - $obj | Add-Member NoteProperty Task("Non-system-created file shares on a system must limit access to groups that require it.") - - try { - $shares = Get-CimInstance -Class Win32_Share | Select-Object -ErrorAction Stop -ExpandProperty Name - - $compare = Compare-Object -ReferenceObject $reference -DifferenceObject $shares - - if ( $compare.Count -eq 0 ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Shares not as expected") - $obj | Add-Member NoteProperty Passed([AuditStatus]::Warning) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000250: Found shares $shares" -Level Error - } - } - catch { - $obj | Add-Member NoteProperty Status("Error") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000250: $($error[0])" -Level Error - } - - return $obj -} - -# Task: Software certificate installation files must be removed from Windows Server 2016. -function Test-Stig_WN16_00_000270 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000270") - $obj | Add-Member NoteProperty Task("Software certificate installation files must be removed from Windows Server 2016.") - - $items = Get-Childitem –Path C:\ -Include *.pfx, *.p12 -File -Recurse -ErrorAction SilentlyContinue - - if ( $items.Count -eq 0 ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Found certificates.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000270: Found the following certificates: `n $items" - } - - return $obj -} - -# Task: Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. -function Test-Stig_WN16_00_000280 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-00-000280") - $obj | Add-Member NoteProperty Task("Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.") - - try { - $volumes = Get-BitLockerVolume -ErrorAction Stop - $notProtected = $false - - foreach ( $volume in $volumes ) { - if ( -not (($volume.VolumeStatus -eq "FullyEncrypted") -and ($volume.ProtectionStatus -eq "On")) ) { - $notProtected = $true - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000280: Drive $($volume.MountPoint) not BitLocker protected" -Level Error - } - } - - if ( $notProtected ) { - $obj | Add-Member NoteProperty Status("Bitlocker not enabled") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - else { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - } - catch { - $obj | Add-Member NoteProperty Status("Bitlocker not enabled") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-00-000280: BitLocker not found on system" -Level Error - } - - return $obj -} - -# Task: Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (VirtualizationBasedSecurityStatus Running). -function Test-Stig_WN16_CC_000110_C { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-CC-000110 C") - $obj | Add-Member NoteProperty Task("Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (VirtualizationBasedSecurityStatus Running).") - - $vBSS = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard ` - | Select-Object -ExpandProperty VirtualizationBasedSecurityStatus - - # 2 indicates running - if ($vBSS -eq 2) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Device Guard not running") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-CC-000110: Device Guard not running" -Level Error - } - - return $obj -} - -# Task: Credential Guard must be running on domain-joined systems (SecurityServicesRunning). -function Test-Stig_WN16_CC_000120_B { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-CC-000120 B") - $obj | Add-Member NoteProperty Task("Credential Guard must be running on domain-joined systems (SecurityServicesRunning).") - - try { - $securityServices = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object -ErrorAction Stop -ExpandProperty SecurityServicesRunning - - if ($securityServices -contains 1) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Security services aren't running.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - catch { - $obj | Add-Member NoteProperty Status("Error") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-CC-000120: $($error[0])" -Level Error - } - - return $obj -} - -# Task: Virtualization-based protection of code integrity must be enabled on domain-joined systems (SecurityServicesRunning). -function Test-Stig_WN16_CC_000130_B { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-CC-000130 B") - $obj | Add-Member NoteProperty Task("Virtualization-based protection of code integrity must be enabled on domain-joined systems (SecurityServicesRunning).") - - try { - $securityServices = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object -ErrorAction Stop -ExpandProperty SecurityServicesRunning - - if ($securityServices -contains 2) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Not compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - catch { - $obj | Add-Member NoteProperty Status("Error") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-CC-000130: $($error[0])" -Level Error - } - - return $obj -} - -# Task: The built-in administrator account must be renamed. -function Test-Stig_WN16_SO_000030 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-SO-000030") - $obj | Add-Member NoteProperty Task("The built-in administrator account must be renamed.") - - try { - # local admin account SID ends with 500 - $builtInAdmin = Get-localUser | Where-Object -Property sid -like "S-1-5-*-500" - $otherAdmins = Get-LocalAdminNames | Where-Object { $_ -eq "Administrator" } - - if (($null -ne $builtInAdmin.Name) -and ($builtInAdmin.Name -ne "Administrator")) { - if ($otherAdmins.Count -eq 0) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Built-in Administrator is renamed, but other account in the Administrators local group is named Administrator.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::Warning) - } - } - else { - $obj | Add-Member NoteProperty Status("Built-in Administrator account is not renamed.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - catch { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-SO-000030: Cannot get local admin account info - $($error[0])" -Level Error - $obj | Add-Member NoteProperty Status("Error") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - - return $obj -} - -# Task: The built-in guest account must be renamed. -function Test-Stig_WN16_SO_000040 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-SO-000040") - $obj | Add-Member NoteProperty Task("The built-in guest account must be renamed.") - - try { - # local guest account SID ends with 501 - $account = Get-localUser | Where-Object -Property SID -like "S-1-5-*-501" - - if ( ($account.name -ne "Guest") -and ($null -ne $account.name) ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Built-in guest account not renamed.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - catch { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-SO-000040: Cannot get local guest account info - $($error[0])" -Level Error - $obj | Add-Member NoteProperty Status("Error") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - - return $obj -} - -# Task: The built-in guest account must be disabled. -function Test-Stig_WN16_SO_000010 { - $obj = New-Object PSObject - $obj | Add-Member NoteProperty Name("WN16-SO-000010") - $obj | Add-Member NoteProperty Task("The built-in guest account must be disabled.") - - try { - # local guest account SID ends with 501 - $account = Get-localUser | Where-Object -Property sid -like "S-1-5-*-501" - - if ( $account.Enabled -eq $false ) { - $obj | Add-Member NoteProperty Status("Compliant") - $obj | Add-Member NoteProperty Passed([AuditStatus]::True) - } - else { - $obj | Add-Member NoteProperty Status("Built-in guest account is not disabled.") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - } - catch { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Message "WN16-SO-000010: Cannot get local guest account info - $($error[0])" -Level Error - $obj | Add-Member NoteProperty Status("Error") - $obj | Add-Member NoteProperty Passed([AuditStatus]::False) - } - - return $obj -} -#endregion - -#endregion - -function New-AuditPipeline { - [CmdletBinding()] - param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions - ) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { - [CmdletBinding()] - Param( - [switch] $PerformanceOptimized, - - [switch] $RegistrySettings, - - [switch] $UserRights, - - [switch] $AccountPolicies, - - [switch] $WindowsFeatures, - - [switch] $FileSystemPermissions, - - [switch] $RegistryPermissions, - - [switch] $OtherAudits - ) - - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } - # disa user rights - if ($UserRights) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-UserRightPolicyAudit} - $DisaRequirements.UserRights | &$pipline -Verbose:$VerbosePreference - } - # disa account policy - if ($AccountPolicies) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-AccountPolicyAudit} - $DisaRequirements.AccountPolicies | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } - # disa windows features - if ($WindowsFeatures) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-WindowsFeatureAudit} - $DisaRequirements.WindowsFeatures | &$pipline -Verbose:$VerbosePreference - } - # disa file system permissions - if ($FileSystemPermissions) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-FileSystemPermissionsAudit} - $DisaRequirements.FileSystemPermissions | &$pipline -Verbose:$VerbosePreference - } - # disa registry permissions - if ($RegistryPermissions) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-RegistryPermissionsAudit} - $DisaRequirements.RegistryPermissions | &$pipline -Verbose:$VerbosePreference - } - - if ($OtherAudits) { - Test-Stig_WN16_00_000030 | Convert-ToAuditInfo - Test-Stig_WN16_00_000100 | Convert-ToAuditInfo - Test-Stig_WN16_00_000110 | Convert-ToAuditInfo - Test-Stig_WN16_00_000150 | Convert-ToAuditInfo - Test-Stig_WN16_00_000200 | Convert-ToAuditInfo - Test-Stig_WN16_00_000210 | Convert-ToAuditInfo - Test-Stig_WN16_00_000220 | Convert-ToAuditInfo - Test-Stig_WN16_00_000230 | Convert-ToAuditInfo - Test-Stig_WN16_00_000250 | Convert-ToAuditInfo - if (-not ($PerformanceOptimized)) { - Test-Stig_WN16_00_000270 | Convert-ToAuditInfo - } - Test-Stig_WN16_00_000280 | Convert-ToAuditInfo - Test-Stig_WN16_CC_000110_C | Convert-ToAuditInfo - Test-Stig_WN16_CC_000120_B | Convert-ToAuditInfo - if (-not ($PerformanceOptimized)) { - Test-Stig_WN16_CC_000130_B | Convert-ToAuditInfo - } - Test-Stig_WN16_SO_000030 | Convert-ToAuditInfo - Test-Stig_WN16_SO_000040 | Convert-ToAuditInfo - Test-Stig_WN16_SO_000010 | Convert-ToAuditInfo - } -} - -function Get-CisAudit { - [CmdletBinding()] - Param( - [switch] $PerformanceOptimized, - - # [string[]] $Exclude - - [switch] $RegistrySettings, - - [switch] $UserRights, - - [switch] $AccountPolicies, - - [switch] $FirewallProfiles, - - [switch] $AuditPolicies - ) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } - # cis user rights - if ($UserRights) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-UserRightPolicyAudit} - $CisBenchmarks.UserRights | &$pipline -Verbose:$VerbosePreference - } - # cis account policies - if ($AccountPolicies) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-AccountPolicyAudit} - $CisBenchmarks.AccountPolicies | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } - # cis firewall profiles - if ($FirewallProfiles) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-FirewallProfileAudit} - $CisBenchmarks.FirewallProfileSettings | &$pipline -Verbose:$VerbosePreference - } - # cis audit policies - if ($AuditPolicies) { - $pipline = New-AuditPipeline ${Function:Get-RoleAudit}, ${Function:Get-AuditPolicyAudit} - $CisBenchmarks.AuditPolicies | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -function Get-HtmlReport { - param ( - [string] $Path = "$($env:HOMEPATH)\Documents\$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode, - - [switch] $PerformanceOptimized - ) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "DISA Recommendations" - Description = "This section contains all recommendations from the Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - }, - @{ - Title = "User Rights Assignment" - AuditInfos = Get-DisaAudit -UserRights | Sort-Object -Property Id - }, - @{ - Title = "Account Policies" - AuditInfos = Get-DisaAudit -AccountPolicies | Sort-Object -Property Id - }, - @{ - Title = "Windows Features" - AuditInfos = Get-DisaAudit -WindowsFeatures | Sort-Object -Property Id - }, - @{ - Title = "File System Permissions" - AuditInfos = Get-DisaAudit -FileSystemPermissions | Sort-Object -Property Id - }, - @{ - Title = "Registry Permissions" - AuditInfos = Get-DisaAudit -RegistryPermissions | Sort-Object -Property Id - }, - @{ - Title = "Other" - AuditInfos = Get-DisaAudit -OtherAudits -PerformanceOptimized:$PerformanceOptimized | Sort-Object -Property Id - } - ) - }, - @{ - Title = "CIS Benchmarks" - Description = "This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet." - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-CisAudit -RegistrySettings # | Sort-Object -Property Id - } - @{ - Title = "User Rights Assignment" - AuditInfos = Get-CisAudit -UserRights | Sort-Object -Property Id - } - @{ - Title = "Account Policies" - AuditInfos = Get-CisAudit -AccountPolicies | Sort-Object -Property Id - } - @{ - Title = "Windows Firewall with Advanced Security" - AuditInfos = Get-CisAudit -FirewallProfiles | Sort-Object -Property Id - } - @{ - Title = " Advanced Audit Policy Configuration" - AuditInfos = Get-CisAudit -AuditPolicies | Sort-Object -Property Id - } - ) - } - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Windows Server 2016 Audit Report" ` - -ModuleName "WindowsServer2016Audit" ` - -BasedOn "Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27", "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-WindowsServer2016HtmlReport -Value Get-HtmlReport -#endregion \ No newline at end of file diff --git a/Word2016Audit/MS_Word_2016_DISA_STIG_V1R1.psd1 b/Word2016Audit/MS_Word_2016_DISA_STIG_V1R1.psd1 deleted file mode 100644 index ef49e035..00000000 --- a/Word2016Audit/MS_Word_2016_DISA_STIG_V1R1.psd1 +++ /dev/null @@ -1,256 +0,0 @@ -# Requirements for Microsoft Word 2016 DISA STIG V1R1 -# Created at 03/19/2019 00:22:23 - -@{ - RegistrySettings = @( - @{ - Id = "DTOO104" - Task = "Disabling of user name and password syntax from being used in URLs must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO110" - Task = "Blocking as default file block opening behavior must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "OpenInProtectedView" - Value = 0 - } - @{ - Id = "DTOO111" - Task = "The Internet Explorer Bind to Object functionality must be enabled." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO117" - Task = "Saved from URL mark to assure Internet zone processing must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO119" - Task = "Configuration for file validation must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\filevalidation" - Name = "EnableOnLoad" - Value = 1 - } - @{ - Id = "DTOO121" - Task = "Files from the Internet zone must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\protectedview" - Name = "DisableInternetFilesInPV" - Value = 0 - } - @{ - Id = "DTOO123" - Task = "Navigation to URLs embedded in Office products must be blocked." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO124" - Task = "Scripted Window Security must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO126" - Task = "Add-on Management functionality must be allowed." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO127" - Task = "Add-ins to Office applications must be signed by a Trusted Publisher." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security" - Name = "RequireAddinSig" - Value = 1 - } - @{ - Id = "DTOO129" - Task = "Links that invoke instances of Internet Explorer from within an Office product must be blocked." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO131" - Task = "Trust Bar Notifications for unsigned application add-ins must be blocked." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security" - Name = "NoTBPromptUnsignedAddin" - Value = 1 - } - @{ - Id = "DTOO132" - Task = "File Downloads must be configured for proper restrictions." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO133" - Task = "All automatic loading from trusted locations must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\trusted locations" - Name = "AllLocationsDisabled" - Value = 1 - } - @{ - Id = "DTOO134" - Task = "Disallowance of trusted locations on the network must be enforced." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\trusted locations" - Name = "AllowNetworkLocations" - Value = 0 - } - @{ - Id = "DTOO139" - Task = "The Save commands default file format must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\options" - Name = "DefaultFormat" - Value = "(blank)" - } - @{ - Id = "DTOO142" - Task = "Force encrypted macros to be scanned in open XML documents must be determined and configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security" - Name = "WordBypassEncryptedMacroScan" - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO146" - Task = "Trust access for VBA must be disallowed." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security" - Name = "AccessVBOM" - Value = 0 - } - @{ - Id = "DTOO209" - Task = "Protection from zone elevation must be enforced." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO211" - Task = "ActiveX Installs must be configured for proper restriction." - Path = "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" - Name = "winword.exe" - Value = 1 - } - @{ - Id = "DTOO288" - Task = "Files in unsafe locations must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\protectedview" - Name = "DisableUnsafeLocationsInPV" - Value = 0 - DoesNotExist = $true - } - @{ - Id = "DTOO292" - Task = "Document behavior if file validation fails must be set." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\Word\security\filevalidation" - Name = "openinprotectedview" - Value = 1 - DoesNotExist = $true - } - @{ - Id = "DTOO292_b" - Task = "Document behavior if file validation fails must be set." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\Word\security\filevalidation" - Name = "DisableEditFromPV" - Value = 1 - } - @{ - Id = "DTOO293" - Task = "Attachments opened from Outlook must be in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\protectedview" - Name = "DisableAttachmentsInPV" - Value = 0 - } - @{ - Id = "DTOO302" - Task = "The automatically update links feature must be disabled." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\options" - Name = "DontUpdateLinks" - Value = 1 - } - @{ - Id = "DTOO304" - Task = "Warning Bar settings for VBA macros must be configured." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security" - Name = "VBAWarnings" - Value = 2 - # Values of REG_DWORD = 3 or 4 are also acceptable values. - } - @{ - Id = "DTOO328" - Task = "Online translation dictionaries must not be used." - Path = "HKCU:\software\policies\Microsoft\office\16.0\common\research\translation" - Name = "useonline" - Value = 0 - } - @{ - Id = "DTOO333" - Task = "Word 2 and earlier binary documents and templates must be blocked for open/save." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "Word2Files" - Value = 2 - } - @{ - Id = "DTOO334" - Task = "Word 2000 binary documents and templates must be configured to edit in protected view." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "Word2000Files" - Value = 5 - } - @{ - Id = "DTOO336" - Task = "Word 6.0 binary documents and templates must be configured for block open/save actions." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "Word60Files" - Value = 2 - } - @{ - Id = "DTOO337" - Task = "Word 95 binary documents and templates must be configured to edit in protected view." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "Word95Files" - Value = 5 - } - @{ - Id = "DTOO338" - Task = "Word 97 binary documents and templates must be configured to edit in protected view." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "Word97Files" - Value = 5 - } - @{ - Id = "DTOO339" - Task = "Word XP binary documents and templates must be configured to edit in protected view." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security\fileblock" - Name = "WordXPFiles" - Value = 5 - } - @{ - Id = "DTOO600" - Task = "Macros must be blocked from running in Office files from the Internet." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\word\security" - Name = "blockcontentexecutionfrominternet" - Value = 1 - } - @{ - Id = "DTOO605" - Task = "Files on local Intranet UNC must be opened in Protected View." - Path = "HKCU:\Software\Policies\Microsoft\Office\16.0\Word\security\protectedview" - Name = "DisableIntranetCheck" - Value = 0 - } - ) -} diff --git a/Word2016Audit/README.md b/Word2016Audit/README.md deleted file mode 100644 index a425bf4d..00000000 --- a/Word2016Audit/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Word 2016 Audit - -based on -* _DISA Microsoft Word 2016 Security Technical Implementation Guide V1R1 2016-11-14_ - -## Overview - -The `Word2016Audit`-Module benchmarks the current Microsoft Word 2016 settings with current hardening standards from DISA. - -## Requirements - -Please make sure that following requirements are fulfilled: - -* **Microsoft Word 2016** -* **ATAPHtmlReport Module:** This module is used for the html report generation and is [included](../ATAPHtmlReport) in the Audit Test Automation Package. Follow the instructions at the link to install the module. - -### Loading the Word 2016 Audit module - -You only need to import the module when you haven't installed it. - -1. Download the release zip and export the modules in a location you can easily access with PowerShell -2. Navigate to the location with PowerShell and import the modules with `Import-Module`. For example: -```Powershell -cd .\Desktop\ -Import-Module -Name .\Audit-Test-Automation\Word2016Audit -Verbose -``` -3. Generate a report with `Get-Word2016HtmlReport` For example: -```PowerShell -Get-Word2016HtmlReport -Path "reports/report.html" -``` - -## Sample report - -You can find a sample report in the [Sample](Sample) folder. \ No newline at end of file diff --git a/Word2016Audit/Settings.psd1 b/Word2016Audit/Settings.psd1 deleted file mode 100644 index 4d52b279..00000000 --- a/Word2016Audit/Settings.psd1 +++ /dev/null @@ -1,49 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2018, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - Email = @{ - SMTPServer = "smtp.example.com" - SMTPPort = 25 - MailTo = "mailto@example.com" - MailFrom = "Microsoft Word 2016 Audit Reporting" - Encoding = "UTF8" - User = "audittap@example.com" - PasswordFile = "" - } - - # Path to logfiles - LogFilePath = "C:\Logs" - - # Standard logfile name, used if no other name is passed as parameter - LogFileName = "auditreport.log" -} \ No newline at end of file diff --git a/Word2016Audit/Word2016Audit.psd1 b/Word2016Audit/Word2016Audit.psd1 deleted file mode 100644 index 03ac52d3..00000000 --- a/Word2016Audit/Word2016Audit.psd1 +++ /dev/null @@ -1,148 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -@{ - -# Script module or binary module file associated with this manifest. -RootModule = 'Word2016Audit.psm1' - -# Version number of this module. -ModuleVersion = '0.1' - -# Supported PSEditions -# CompatiblePSEditions = @() - -# ID used to uniquely identify this module -GUID = '880a8e8d-def6-4355-86a1-f19b1b825c7e' - -# Author of this module -Author = 'Dennis Esly' - -# Company or vendor of this module -CompanyName = 'FB Pro GmbH' - -# Copyright statement for this module -Copyright = '(c) 2019 FB-Pro GmbH. All rights reserved.' - -# Description of the functionality provided by this module -Description = "A module that benchmarks your Microsoft Word 2016 settings with current hardening standards such as the DISA Security Technical Implementation Guide and the CIS Benchmarks." - -# Minimum version of the Windows PowerShell engine required by this module -PowerShellVersion = '5.0' - -# Name of the Windows PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the Windows PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# CLRVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - -# Modules that must be imported into the global environment prior to importing this module -RequiredModules = @( - 'ATAPHtmlReport' -) - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() - -# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -# FunctionsToExport = '*' - -# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. -# CmdletsToExport = '*' - -# Variables to export from this module -# VariablesToExport = '*' - -# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. -# AliasesToExport = '*' - -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - -# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. -PrivateData = @{ - - PSData = @{ - - # Tags applied to this module. These help with module discovery in online galleries. - Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html', 'word', 'cis', 'disa') - - # A URL to the license for this module. - LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' - - # A URL to the main website for this project. - ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' - - # A URL to an icon representing this module. - # IconUri = '' - - # ReleaseNotes of this module - # ReleaseNotes = '' - - } # End of PSData hashtable - -} # End of PrivateData hashtable - -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - -} diff --git a/Word2016Audit/Word2016Audit.psm1 b/Word2016Audit/Word2016Audit.psm1 deleted file mode 100644 index 7aa419dc..00000000 --- a/Word2016Audit/Word2016Audit.psm1 +++ /dev/null @@ -1,440 +0,0 @@ -<# -BSD 3-Clause License - -Copyright (c) 2019, FB Pro GmbH -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -* Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -#> - -using module ATAPHtmlReport -using namespace Microsoft.PowerShell.Commands -using namespace System.Security.AccessControl - -# Import setting from file -$Settings = Import-LocalizedData -FileName "Settings.psd1" - -#region Import tests configuration settings -$DisaRequirements = Import-LocalizedData -FileName "MS_Word_2016_DISA_STIG_V1R1.psd1" -#endregion - - -#region Logging functions -function Set-LogFile { - [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name - ) - - $FullPath = Get-FullPath $Path $Name - - # Create file if it does not already exists - if (!(Test-Path -Path $FullPath)) { - - # Create file and start logging - New-Item -Path $FullPath -ItemType File -Force | Out-Null - - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" - Add-Content -Path $FullPath -Value "***************************************************************************************************" - Add-Content -Path $FullPath -Value "" - Add-Content -Path $FullPath -Value "" - } -} - -function Write-LogFile { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [Alias('LogMessage')] - [string]$Message, - - [Parameter(Mandatory = $true)] - [Alias('LogPath')] - [string]$Path, - - [Parameter(Mandatory = $true)] - [Alias('Logname')] - [string]$Name, - - [ValidateSet("Error", "Warning", "Info")] - [string]$Level = "Info" - ) - - - Set-LogFile $Path $Name - $FullPath = Get-FullPath $Path $Name - - # Format date for log file - $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - - switch ($Level) { - 'Error' { - # Write-Error $Message - $LevelText = '[ERROR]:' - } - 'Warning' { - # Write-Warning $Message - $LevelText = '[WARNING]:' - } - 'Info' { - # Write-Verbose $Message - $LevelText = '[INFO]:' - } - } - Add-Content $FullPath "$FormattedDate $LevelText" - Add-Content $FullPath "$Message" - Add-Content $FullPath "--------------------------" - Add-Content $FullPath "" -} - -function Get-FullPath { - [CmdletBinding()] - Param( - [Parameter(Mandatory = $true)] - [string]$Path, - [Parameter(Mandatory = $true)] - [string]$File - ) - - $FullPath = "" - if ($Path.Length -gt 0) { - if ($Path[$Path.Length - 1] -ne "\") { - $FullPath = $Path + "\" + $File - } - else { - $FullPath = $Path + $File - } - } - - return $FullPath -} -#endregion - -#region Helper functions - -function PreprocessSpecialValueSetting { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $InputObject -) - - Process { - if ($InputObject.Keys -contains "SpecialValue") { - $Type = $InputObject.SpecialValue.Type - $PreValue = $InputObject.SpecialValue.Value - - $InputObject.Remove("SpecialValue") - if ($Type -eq "Range") { - $preValue = $preValue.ToLower() - - $predicates = @() - if ($preValue -match "([0-9]+)[a-z ]* or less") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -le $y }.GetNewClosure() - } - if ($preValue -match "([0-9]+)[ a-z]* or greater") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ge $y }.GetNewClosure() - } - if ($preValue -match "not ([0-9]+)") { - $y = [int]$Matches[1] - $predicates += { param($x) $x -ne $y }.GetNewClosure() - } - - $InputObject.ExpectedValue = $preValue - $InputObject.Predicate = { - param($x) - return ($predicates | ForEach-Object { &$_ $x }) -notcontains $false - }.GetNewClosure() - return $InputObject - } - elseif ($Type -eq "Placeholder") { - $value = $Settings[$preValue] - $InputObject.Value = $value - - if ([string]::IsNullOrEmpty($value)) { - $InputObject.ExpectedValue = "Non-empty string." - $InputObject.Predicate = { param($x) -not [string]::IsNullOrEmpty($x) }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param($x) $x -eq $value }.GetNewClosure() - return $InputObject - } - } - - $value = $InputObject.Value - - if ($value.Count -gt 1) { - $InputObject.ExpectedValue = $value -join ", " - $InputObject.Predicate = { - param([string[]]$xs) - - if ($xs.Count -ne $value.Count) { - return $false - } - - $comparisonFunction = [Func[string, string, Boolean]]{ param($a, $b) $a -eq $b } - $comparison = [System.Linq.Enumerable]::Zip([string[]]$value, $xs, $comparisonFunction) - return $comparison -notcontains $false - }.GetNewClosure() - return $InputObject - } - - $InputObject.ExpectedValue = $value - $InputObject.Predicate = { param([string] $x) $value -eq $x }.GetNewClosure() - return $InputObject - } -} -#endregion - -#region Audit functions -function Get-RegistryAudit { -[CmdletBinding()] -Param( - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Id, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Task, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Path, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [string] $Name, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [AllowEmptyString()] - [object[]] $Value, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [ScriptBlock] $Predicate, - - [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] - [String] $ExpectedValue, - - [Parameter(ValueFromPipelineByPropertyName = $true)] - [bool] $DoesNotExist = $false -) - - process { - try { - $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` - | Select-Object -ExpandProperty $Name - - if (-not (& $Predicate $regValues)) { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Registry value $Name in registry key $Path is not correct." - - $regValue = $regValues -join ", " - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." - Audit = [AuditStatus]::False - } - } - } - catch [System.Management.Automation.PSArgumentException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get value $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry value not found." - Audit = [AuditStatus]::False - } - } - catch [System.Management.Automation.ItemNotFoundException] { - Write-LogFile -Path $Settings.LogFilePath -Name $Settings.LogFileName -Level Error ` - -Message "$($Id): Could not get key $Name in registry key $path." - - if ($DoesNotExist) { - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant. Registry value not set." - Audit = [AuditStatus]::True - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Registry key not found." - Audit = [AuditStatus]::False - } - } - - return [AuditInfo]@{ - Id = $Id - Task = $Task - Message = "Compliant" - Audit = [AuditStatus]::True - } - } -} -#endregion - - -function New-AuditPipeline { -[CmdletBinding()] -param( - [Parameter(Mandatory = $true, Position = 0)] - [scriptblock[]] $AuditFunctions -) - - return { - param( - [Parameter(Mandatory = $true, ValueFromPipeline = $true)] - [hashtable] $AuditSetting - ) - - process { - $auditSettingObj = New-Object -TypeName psobject -Property $AuditSetting - - foreach ($auditFunction in $AuditFunctions) { - $audit = $auditSettingObj | & $auditFunction -Verbose:$VerbosePreference - if ($audit -is [AuditInfo]) { - return $audit - } - } - return $null - } - }.GetNewClosure() -} - -function Get-DisaAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # disa registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $DisaRequirements.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -function Get-CisAudit { -[CmdletBinding()] -Param( - [switch] $RegistrySettings -) - # cis registry settings - if ($RegistrySettings) { - $pipline = New-AuditPipeline ${Function:Get-RegistryAudit} - $CisBenchmarks.RegistrySettings | PreprocessSpecialValueSetting | &$pipline -Verbose:$VerbosePreference - } -} - -#region Report-Generation -<# - In this section the HTML report gets build and saved to the desired destination set by parameter saveTo -#> - -<# -.Synopsis - Generates an audit report in an html file. -.Description - The `Get-Word2016HtmlReport` cmdlet tests Microsoft Word 2016 settings and stores an html report at the path you specify. -.Parameter Path - Specifies the relative path to the file where the report will be stored. -.Parameter DarkMode - The report will use a darker color scheme with light text on a dark background. -.Example - C:\PS> Get-Word2016HtmlReport -Path "reports/report1.html" -#> -function Save-Word2016HtmlReport { -[CmdletBinding()] -Param ( - [string] $Path = [Environment]::GetFolderPath("MyDocuments")+"\"+"$(Get-Date -UFormat %Y%m%d_%H%M)_auditreport.html", - - [switch] $DarkMode -) - - $parent = Split-Path $Path - if (Test-Path $parent) { - [hashtable[]]$sections = @( - @{ - Title = "Recommandations"#"DISA Recommendations" - Description = ""#"This section contains all DISA recommendations" - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-DisaAudit -RegistrySettings | Sort-Object -Property Id - } - ) - } - <#@{ - Title = "CIS Benchmarks" - Description = "This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet." - SubSections = @( - @{ - Title = "Registry Settings/Group Policies" - AuditInfos = Get-CisAudit -RegistrySettings # | Sort-Object -Property Id - } - ) - }#> - ) - - Get-ATAPHtmlReport ` - -Path $Path ` - -Title "Microsoft Word 2016 Audit Report" ` - -ModuleName "Word2016Audit" ` - -BasedOn "DISA Microsoft Word 2016 Security Technical Implementation Guide V1R1 2016-11-14" ` - -Sections $sections ` - -DarkMode:$DarkMode - } - else { - Write-Error "The path doesn't not exist!" - } -} - -Set-Alias -Name Get-Word2016HtmlReport -Value Save-Word2016HtmlReport -Set-Alias -Name Get-HtmlReport -Value Save-Word2016HtmlReport -Set-Alias -Name shr -Value Save-Word2016HtmlReport -#endregion \ No newline at end of file