From 1278edb583cd58b8dafe944dc71e80533c5fdbbe Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Wed, 31 Aug 2022 07:13:43 +0200 Subject: [PATCH] Update to HardeningKitty v.0.8.1 --- Invoke-HardeningKitty.ps1 | 1118 ++++++++++------- README.md | 3 +- lists/finding_list_0x6d69636b_machine.csv | 6 +- lists/finding_list_0x6d69636b_user.csv | 9 +- ...oft_windows_10_enterprise_21h2_machine.csv | 4 +- lists/finding_list_microsoft_windows_tls.csv | 10 +- ...ding_list_microsoft_windows_tls_future.csv | 10 +- ...msft_security_baseline_edge_87_machine.csv | 2 +- ...msft_security_baseline_edge_88_machine.csv | 2 +- ...msft_security_baseline_edge_92_machine.csv | 2 +- ...msft_security_baseline_edge_93_machine.csv | 2 +- ...msft_security_baseline_edge_95_machine.csv | 2 +- ...msft_security_baseline_edge_96_machine.csv | 2 +- ...msft_security_baseline_edge_97_machine.csv | 2 +- ...msft_security_baseline_edge_98_machine.csv | 2 +- ...eline_microsoft_365_apps_v2104_machine.csv | 2 +- ...baseline_microsoft_365_apps_v2104_user.csv | 5 +- ...eline_microsoft_365_apps_v2112_machine.csv | 2 +- ...baseline_microsoft_365_apps_v2112_user.csv | 5 +- ...eline_microsoft_365_apps_v2206_machine.csv | 2 +- ...baseline_microsoft_365_apps_v2206_user.csv | 5 +- ...ecurity_baseline_office_365_v1908_user.csv | 2 +- 22 files changed, 684 insertions(+), 515 deletions(-) diff --git a/Invoke-HardeningKitty.ps1 b/Invoke-HardeningKitty.ps1 index f34e470..0ade372 100644 --- a/Invoke-HardeningKitty.ps1 +++ b/Invoke-HardeningKitty.ps1 @@ -21,7 +21,7 @@ HardeningKitty supports hardening of a Windows system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningKitty reads settings from the registry and uses other modules - to read configurations outside the registry. + to read configurations outside the registry. .PARAMETER FileFindingList @@ -30,7 +30,7 @@ .PARAMETER Mode - + The mode Config only retrieves the settings, while the mode Audit performs an assessment of the settings. The mode HailMary hardens the system according to recommendations of the HardeningKitty list. @@ -42,7 +42,7 @@ .PARAMETER Log - + The logging function is activated. The script output is additionally logged in a file. The file name is assigned by HardeningKitty itself and the file is stored in the same directory as the script. @@ -50,13 +50,13 @@ .PARAMETER LogFile The name and location of the log file can be defined by the user. - - + + .PARAMETER Report The retrieved settings and their assessment result are stored in CSV format in a machine-readable format. The file name is assigned by HardeningKitty itself and the file is stored in the same directory as the script. - + .PARAMETER ReportFile @@ -72,7 +72,7 @@ using multiple lists on the same system. .EXAMPLE - + Description: HardeningKitty performs an audit, saves the results and creates a log file: Invoke-HardeningKitty -Mode Audit -Log -Report @@ -80,38 +80,38 @@ Invoke-HardeningKitty -FileFindingList .\lists\finding_list_0x6d69636b_user.csv -SkipMachineInformation Description: HardeningKitty ready only the setting with the default list, and saves the results in a specific file: - Invoke-HardeningKitty -Mode Config -Report -Report C:\tmp\my_hardeningkitty_report.log - + Invoke-HardeningKitty -Mode Config -Report -Report C:\tmp\my_hardeningkitty_report.csv + #> [CmdletBinding()] Param ( - + # Definition of the finding list, default is machine setting list - [ValidateScript({Test-Path $_})] + [ValidateScript({ Test-Path $_ })] [String] $FileFindingList, # Choose mode, read system config, audit system config, harden system config - [ValidateSet("Audit","Config","HailMary")] + [ValidateSet("Audit", "Config", "HailMary")] [String] $Mode = "Audit", # Activate emoji support for Windows Terminal [Switch] - $EmojiSupport = $false, + $EmojiSupport, # Create a log file [Switch] - $Log = $false, + $Log, # Skip machine information, useful when debugging [Switch] - $SkipMachineInformation = $false, + $SkipMachineInformation, - # Skip language warning, if you understand the risk + # Skip language warning, if you understand the risk [Switch] - $SkipLanguageWarning = $false, + $SkipLanguageWarning, # Define name and path of the log file [String] @@ -119,7 +119,7 @@ # Create a report file in CSV format [Switch] - $Report = $false, + $Report, # Define name and path of the report file [String] @@ -127,9 +127,9 @@ # Create a backup config file in CSV format [Switch] - $Backup = $false, + $Backup, - # Define name and path of the report file + # Define name and path of the backup file [String] $BackupFile ) @@ -138,15 +138,15 @@ <# .SYNOPSIS - + Output of an event with timestamp and different formatting depending on the level. If the Log parameter is set, the output is also stored in a file. - #> + #> [CmdletBinding()] Param ( - + [String] $Text, @@ -157,18 +157,18 @@ $Time = Get-Date -Format G Switch ($LogLevel) { - "Info" { $Message = "[*] $Time - $Text"; Write-Host $Message; Break} - "Debug" { $Message = "[-] $Time - $Text"; Write-Host -ForegroundColor Cyan $Message; Break} - "Warning" { $Message = "[?] $Time - $Text"; Write-Host -ForegroundColor Yellow $Message; Break} - "Error" { $Message = "[!] $Time - $Text"; Write-Host -ForegroundColor Red $Message; Break} - "Success" { $Message = "[$] $Time - $Text"; Write-Host -ForegroundColor Green $Message; Break} - "Notime" { $Message = "[*] $Text"; Write-Host -ForegroundColor Gray $Message; Break} + "Info" { $Message = "[*] $Time - $Text"; Write-Host $Message; Break } + "Debug" { $Message = "[-] $Time - $Text"; Write-Host -ForegroundColor Cyan $Message; Break } + "Warning" { $Message = "[?] $Time - $Text"; Write-Host -ForegroundColor Yellow $Message; Break } + "Error" { $Message = "[!] $Time - $Text"; Write-Host -ForegroundColor Red $Message; Break } + "Success" { $Message = "[$] $Time - $Text"; Write-Host -ForegroundColor Green $Message; Break } + "Notime" { $Message = "[*] $Text"; Write-Host -ForegroundColor Gray $Message; Break } Default { $Message = "[*] $Time - $Text"; Write-Host $Message; } } - + If ($Log) { Add-MessageToFile -Text $Message -File $LogFile - } + } } Function Add-MessageToFile { @@ -179,22 +179,22 @@ Write message to a file, this function can be used for logs, reports, backups and more. #> - + [CmdletBinding()] Param ( - + [String] $Text, [String] - $File - ) + $File + ) try { Add-Content -Path $File -Value $Text -ErrorAction Stop } catch { Write-ProtocolEntry -Text "Error while writing log entries into $File. Aborting..." -LogLevel "Error" - Break + Break } } @@ -208,10 +208,10 @@ depending on the severity level. If emoji support is enabled, a suitable symbol is used for the severity rating. #> - + [CmdletBinding()] Param ( - + [String] $Text, @@ -219,14 +219,14 @@ $SeverityLevel ) - If ($EmojiSupport.IsPresent) { + If ($EmojiSupport) { Switch ($SeverityLevel) { - "Passed" { $Emoji = [char]::ConvertFromUtf32(0x1F63A); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Gray $Message; Break} - "Low" { $Emoji = [char]::ConvertFromUtf32(0x1F63C); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Cyan $Message; Break} - "Medium" { $Emoji = [char]::ConvertFromUtf32(0x1F63F); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Yellow $Message; Break} - "High" { $Emoji = [char]::ConvertFromUtf32(0x1F640); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Red $Message; Break} + "Passed" { $Emoji = [char]::ConvertFromUtf32(0x1F63A); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Gray $Message; Break } + "Low" { $Emoji = [char]::ConvertFromUtf32(0x1F63C); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Cyan $Message; Break } + "Medium" { $Emoji = [char]::ConvertFromUtf32(0x1F63F); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Yellow $Message; Break } + "High" { $Emoji = [char]::ConvertFromUtf32(0x1F640); $Message = "[$Emoji] $Text"; Write-Host -ForegroundColor Red $Message; Break } Default { $Message = "[*] $Text"; Write-Host $Message; } } @@ -234,10 +234,10 @@ Switch ($SeverityLevel) { - "Passed" { $Message = "[+] $Text"; Write-Host -ForegroundColor Gray $Message; Break} - "Low" { $Message = "[-] $Text"; Write-Host -ForegroundColor Cyan $Message; Break} - "Medium" { $Message = "[$] $Text"; Write-Host -ForegroundColor Yellow $Message; Break} - "High" { $Message = "[!] $Text"; Write-Host -ForegroundColor Red $Message; Break} + "Passed" { $Message = "[+] $Text"; Write-Host -ForegroundColor Gray $Message; Break } + "Low" { $Message = "[-] $Text"; Write-Host -ForegroundColor Cyan $Message; Break } + "Medium" { $Message = "[$] $Text"; Write-Host -ForegroundColor Yellow $Message; Break } + "High" { $Message = "[!] $Text"; Write-Host -ForegroundColor Red $Message; Break } Default { $Message = "[*] $Text"; Write-Host $Message; } } } @@ -256,21 +256,23 @@ #> $ini = @{} - switch -regex -file $FilePath - { - “^\[(.+)\]” { # Section + switch -regex -file $FilePath { + "^\[(.+)\]" { + # Section $section = $matches[1] $ini[$section] = @{} $CommentCount = 0 } - “^(;.*)$” { # Comment + "^(;.*)$" { + # Comment $value = $matches[1] $CommentCount = $CommentCount + 1 - $name = “Comment” + $CommentCount + $name = "Comment" + $CommentCount $ini[$section][$name] = $value } - “(.+?)\s*=(.*)” { # Key - $name,$value = $matches[1..2] + "(.+?)\s*=(.*)" { + # Key + $name, $value = $matches[1..2] $ini[$section][$name] = $value } } @@ -309,7 +311,7 @@ Add-Content -Encoding $Encoding -Path $outFile -Value "" } } - } + } Function Get-HashtableValueDeep { @@ -333,14 +335,14 @@ $Entry = $Table[$Key[0]] - if($Entry -is [hashtable] -and $Key.Length -eq 1) { + if ($Entry -is [hashtable] -and $Key.Length -eq 1) { throw "Path is incomplete (expected a leaf but still on a branch)" } - if($Entry -is [hashtable]) { + if ($Entry -is [hashtable]) { return Get-HashtableValueDeep $Entry $Key[1]; } else { - if($Key.Length -eq 1) { + if ($Key.Length -eq 1) { return $Entry } else { throw "Path is too long (expected a branch but arrived at a leaf before the end of the path)" @@ -353,7 +355,7 @@ <# .SYNOPSIS - Set a value in a tree of hashtables + Set a value in a tree of hashtables, using recursion. #> [CmdletBinding()] @@ -373,15 +375,15 @@ $Entry = $Table[$Key[0]] - if($Key.Length -eq 2) { - if($null -eq $Entry) { + if ($Key.Length -eq 2) { + if ($null -eq $Entry) { $Table[$Key[0]] = @{} - } elseif($Entry -isnot [hashtable]) { + } elseif ($Entry -isnot [hashtable]) { throw "Not hashtable" } - return Set-HashtableValueDeep $Table[$Key[0]] $Key[1] $Value; - } elseif($Key.Length -eq 1) { + return Set-HashtableValueDeep -Table $Table[$Key[0]] -Path $Key[1] -Value $Value; + } elseif ($Key.Length -eq 1) { $Table[$Key[0]] = $Value; } } @@ -393,10 +395,10 @@ Translate the account name (user or group) into the Security Identifier (SID) #> - + [CmdletBinding()] Param ( - + [String] $AccountName ) @@ -404,12 +406,12 @@ try { $AccountObject = New-Object System.Security.Principal.NTAccount($AccountName) - $AccountSid = $AccountObject.Translate([System.Security.Principal.SecurityIdentifier]).Value + $AccountSid = $AccountObject.Translate([System.Security.Principal.SecurityIdentifier]).Value } catch { # If translation fails, return account name - $AccountSid = $AccountName + $AccountSid = $AccountName } Return $AccountSid @@ -422,7 +424,7 @@ Translate the Security Identifier (SID) into the account name (user or group) #> - + [CmdletBinding()] Param ( @@ -433,12 +435,12 @@ try { $AccountObject = New-Object System.Security.Principal.SecurityIdentifier ($AccountSid) - $AccountName = $AccountObject.Translate([System.Security.Principal.NTAccount]).Value + $AccountName = $AccountObject.Translate([System.Security.Principal.NTAccount]).Value } catch { # If translation fails, return account SID - $AccountName = $AccountSid + $AccountName = $AccountSid } Return $AccountName @@ -456,38 +458,38 @@ [CmdletBinding()] Param ( - + [String] $AccountName - ) + ) Switch ($AccountName) { - "BUILTIN\Account Operators" { $AccountSid = "S-1-5-32-548"; Break} - "BUILTIN\Administrators" { $AccountSid = "S-1-5-32-544"; Break} - "BUILTIN\Backup Operators" { $AccountSid = "S-1-5-32-551"; Break} - "BUILTIN\Guests" { $AccountSid = "S-1-5-32-546"; Break} - "BUILTIN\Power Users" { $AccountSid = "S-1-5-32-547"; Break} - "BUILTIN\Print Operators" { $AccountSid = "S-1-5-32-550"; Break} - "BUILTIN\Remote Desktop Users" { $AccountSid = "S-1-5-32-555"; Break} - "BUILTIN\Server Operators" { $AccountSid = "S-1-5-32-549"; Break} - "BUILTIN\Users" { $AccountSid = "S-1-5-32-545"; Break} - "Everyone" { $AccountSid = "S-1-1-0"; Break} - "NT AUTHORITY\ANONYMOUS LOGON" { $AccountSid = "S-1-5-7"; Break} - "NT AUTHORITY\Authenticated Users" { $AccountSid = "S-1-5-11"; Break} - "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS" { $AccountSid = "S-1-5-9"; Break} - "NT AUTHORITY\IUSR" { $AccountSid = "S-1-5-17"; Break} - "NT AUTHORITY\Local account and member of Administrators group" { $AccountSid = "S-1-5-114"; Break} - "NT AUTHORITY\Local account" { $AccountSid = "S-1-5-113"; Break} - "NT AUTHORITY\LOCAL SERVICE" { $AccountSid = "S-1-5-19"; Break} - "NT AUTHORITY\NETWORK SERVICE" { $AccountSid = "S-1-5-20"; Break} - "NT AUTHORITY\SERVICE" { $AccountSid = "S-1-5-6"; Break} - "NT AUTHORITY\SYSTEM" { $AccountSid = "S-1-5-18"; Break} - "NT SERVICE\WdiServiceHost" { $AccountSid = "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420"; Break} - "NT VIRTUAL MACHINE\Virtual Machines" { $AccountSid = "S-1-5-83-0"; Break} - "Window Manager\Window Manager Group" { $AccountSid = "S-1-5-90-0"; Break} - Default { $AccountSid = $AccountName } - } + "BUILTIN\Account Operators" { $AccountSid = "S-1-5-32-548"; Break } + "BUILTIN\Administrators" { $AccountSid = "S-1-5-32-544"; Break } + "BUILTIN\Backup Operators" { $AccountSid = "S-1-5-32-551"; Break } + "BUILTIN\Guests" { $AccountSid = "S-1-5-32-546"; Break } + "BUILTIN\Power Users" { $AccountSid = "S-1-5-32-547"; Break } + "BUILTIN\Print Operators" { $AccountSid = "S-1-5-32-550"; Break } + "BUILTIN\Remote Desktop Users" { $AccountSid = "S-1-5-32-555"; Break } + "BUILTIN\Server Operators" { $AccountSid = "S-1-5-32-549"; Break } + "BUILTIN\Users" { $AccountSid = "S-1-5-32-545"; Break } + "Everyone" { $AccountSid = "S-1-1-0"; Break } + "NT AUTHORITY\ANONYMOUS LOGON" { $AccountSid = "S-1-5-7"; Break } + "NT AUTHORITY\Authenticated Users" { $AccountSid = "S-1-5-11"; Break } + "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS" { $AccountSid = "S-1-5-9"; Break } + "NT AUTHORITY\IUSR" { $AccountSid = "S-1-5-17"; Break } + "NT AUTHORITY\Local account and member of Administrators group" { $AccountSid = "S-1-5-114"; Break } + "NT AUTHORITY\Local account" { $AccountSid = "S-1-5-113"; Break } + "NT AUTHORITY\LOCAL SERVICE" { $AccountSid = "S-1-5-19"; Break } + "NT AUTHORITY\NETWORK SERVICE" { $AccountSid = "S-1-5-20"; Break } + "NT AUTHORITY\SERVICE" { $AccountSid = "S-1-5-6"; Break } + "NT AUTHORITY\SYSTEM" { $AccountSid = "S-1-5-18"; Break } + "NT SERVICE\WdiServiceHost" { $AccountSid = "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420"; Break } + "NT VIRTUAL MACHINE\Virtual Machines" { $AccountSid = "S-1-5-83-0"; Break } + "Window Manager\Window Manager Group" { $AccountSid = "S-1-5-90-0"; Break } + Default { $AccountSid = $AccountName } + } Return $AccountSid } @@ -504,7 +506,7 @@ ) $Script:StatsError++ - $Message = "ID "+$FindingID+", "+$FindingName+", Method "+$FindingMethod+" requires admin priviliges. Test skipped." + $Message = "ID " + $FindingID + ", " + $FindingName + ", Method " + $FindingMethod + " requires admin priviliges. Test skipped." Write-ProtocolEntry -Text $Message -LogLevel "Error" } @@ -521,7 +523,7 @@ $FindingMethod ) $Script:StatsError++ - $Message = "ID "+$FindingID+", "+$FindingName+", Method "+$FindingMethod+" requires $Binary and it was not found. Test skipped." + $Message = "ID " + $FindingID + ", " + $FindingName + ", Method " + $FindingMethod + " requires $Binary and it was not found. Test skipped." Write-ProtocolEntry -Text $Message -LogLevel "Error" } @@ -536,7 +538,7 @@ # # Start Main # - $HardeningKittyVersion = "0.8.0-1656567332" + $HardeningKittyVersion = "0.8.0-1660481591" # # Log, report and backup file @@ -552,20 +554,20 @@ $ListName = [System.IO.Path]::GetFileNameWithoutExtension($FileFindingList) } - If ($Log.IsPresent -and $LogFile.Length -eq 0) { - $LogFile = "hardeningkitty_log_"+$Hostname+"_"+$ListName+"-$FileDate.log" + If ($Log -and $LogFile.Length -eq 0) { + $LogFile = "hardeningkitty_log_" + $Hostname + "_" + $ListName + "-$FileDate.log" } - If ($Report.IsPresent -and $ReportFile.Length -eq 0) { - $ReportFile = "hardeningkitty_report_"+$Hostname+"_"+$ListName+"-$FileDate.csv" + If ($Report -and $ReportFile.Length -eq 0) { + $ReportFile = "hardeningkitty_report_" + $Hostname + "_" + $ListName + "-$FileDate.csv" } - If ($Report.IsPresent) { - $Message = '"ID","Name","Severity","Result","Recommended"' + If ($Report) { + $Message = '"ID","Name","Severity","Result","Recommended","TestResult","SeverityFinding"' Add-MessageToFile -Text $Message -File $ReportFile } - If ($Backup.IsPresent -and $BackupFile.Length -eq 0) { - $BackupFile = "hardeningkitty_backup_"+$Hostname+"_"+$ListName+"-$FileDate.csv" + If ($Backup -and $BackupFile.Length -eq 0) { + $BackupFile = "hardeningkitty_backup_" + $Hostname + "_" + $ListName + "-$FileDate.csv" } - If ($Backup.IsPresent) { + If ($Backup) { $Message = '"ID","Category","Name","Method","MethodArgument","RegistryPath","RegistryItem","ClassName","Namespace","Property","DefaultValue","RecommendedValue","Operator","Severity"' Add-MessageToFile -Text $Message -File $BackupFile } @@ -586,7 +588,7 @@ Write-Output "`n" Write-Output " =^._.^=" Write-Output " _( )/ HardeningKitty $HardeningKittyVersion" - Write-Output "`n" + Write-Output "`n" Write-ProtocolEntry -Text "Starting HardeningKitty" -LogLevel "Info" # @@ -594,7 +596,7 @@ # If (-not($SkipMachineInformation)) { - Write-Output "`n" + Write-Output "`n" Write-ProtocolEntry -Text "Getting machine information" -LogLevel "Info" # @@ -608,67 +610,66 @@ $OperatingSystem = Get-CimInstance Win32_operatingsystem $ComputerSystem = Get-CimInstance Win32_ComputerSystem Switch ($ComputerSystem.domainrole) { - "0" { $Domainrole = "Standalone Workstation"; Break} - "1" { $Domainrole = "Member Workstation"; Break} - "2" { $Domainrole = "Standalone Server"; Break} - "3" { $Domainrole = "Member Server"; Break} - "4" { $Domainrole = "Backup Domain Controller"; Break} - "5" { $Domainrole = "Primary Domain Controller"; Break} + "0" { $Domainrole = "Standalone Workstation"; Break } + "1" { $Domainrole = "Member Workstation"; Break } + "2" { $Domainrole = "Standalone Server"; Break } + "3" { $Domainrole = "Member Server"; Break } + "4" { $Domainrole = "Backup Domain Controller"; Break } + "5" { $Domainrole = "Primary Domain Controller"; Break } } $Uptime = (Get-Date) - $OperatingSystem.LastBootUpTime - $Message = "Hostname: "+$OperatingSystem.CSName + $Message = "Hostname: " + $OperatingSystem.CSName Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain: "+$ComputerSystem.Domain + $Message = "Domain: " + $ComputerSystem.Domain Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain role: "+$Domainrole + $Message = "Domain role: " + $Domainrole Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Install date: "+$OperatingSystem.InstallDate + $Message = "Install date: " + $OperatingSystem.InstallDate Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Last Boot Time: "+$OperatingSystem.LastBootUpTime + $Message = "Last Boot Time: " + $OperatingSystem.LastBootUpTime Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Uptime: "+$Uptime + $Message = "Uptime: " + $Uptime Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows: "+$OperatingSystem.Caption + $Message = "Windows: " + $OperatingSystem.Caption Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows version: "+$OperatingSystem.Version + $Message = "Windows version: " + $OperatingSystem.Version Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows build: "+$OperatingSystem.BuildNumber + $Message = "Windows build: " + $OperatingSystem.BuildNumber Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "System-locale: "+$WinSystemLocale.Name + $Message = "System-locale: " + $WinSystemLocale.Name Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Powershell Version: "+$PowerShellVersion + $Message = "Powershell Version: " + $PowerShellVersion Write-ProtocolEntry -Text $Message -LogLevel "Notime" } catch { Write-ProtocolEntry -Text "Getting machine information failed." -LogLevel "Warning" } - } - Else { + } Else { $MachineInformation = Get-ComputerInfo - $Message = "Hostname: "+$MachineInformation.CsDNSHostName + $Message = "Hostname: " + $MachineInformation.CsDNSHostName Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain: "+$MachineInformation.CsDomain + $Message = "Domain: " + $MachineInformation.CsDomain Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Domain role: "+$MachineInformation.CsDomainRole + $Message = "Domain role: " + $MachineInformation.CsDomainRole Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Install date: "+$MachineInformation.OsInstallDate + $Message = "Install date: " + $MachineInformation.OsInstallDate Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Last Boot Time: "+$MachineInformation.OsLastBootUpTime + $Message = "Last Boot Time: " + $MachineInformation.OsLastBootUpTime Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Uptime: "+$MachineInformation.OsUptime + $Message = "Uptime: " + $MachineInformation.OsUptime Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows: "+$MachineInformation.WindowsProductName + $Message = "Windows: " + $MachineInformation.WindowsProductName Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows edition: "+$MachineInformation.WindowsEditionId + $Message = "Windows edition: " + $MachineInformation.WindowsEditionId Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows version: "+$MachineInformation.WindowsVersion + $Message = "Windows version: " + $MachineInformation.WindowsVersion Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows build: "+$MachineInformation.WindowsBuildLabEx + $Message = "Windows build: " + $MachineInformation.WindowsBuildLabEx Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "System-locale: "+$WinSystemLocale.Name + $Message = "System-locale: " + $WinSystemLocale.Name Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Powershell Version: "+$PowerShellVersion + $Message = "Powershell Version: " + $PowerShellVersion Write-ProtocolEntry -Text $Message -LogLevel "Notime" } } @@ -679,34 +680,34 @@ If ($WinSystemLocale.Name -ne "en-US" -and -not($SkipLanguageWarning)) { Write-Output "`n" Write-ProtocolEntry -Text "Language warning" -LogLevel "Info" - $Message = "HardeningKitty was developed for the system language 'en-US'. This system uses '"+$WinSystemLocale.Name+"' Language-dependent analyses can sometimes produce false results. Please create an issue if this occurs." + $Message = "HardeningKitty was developed for the system language 'en-US'. This system uses '" + $WinSystemLocale.Name + "' Language-dependent analyses can sometimes produce false results. Please create an issue if this occurs." Write-ProtocolEntry -Text $Message -LogLevel "Warning" } # # User information # - Write-Output "`n" + Write-Output "`n" Write-ProtocolEntry -Text "Getting user information" -LogLevel "Info" - - $Message = "Username: "+[Security.Principal.WindowsIdentity]::GetCurrent().Name + + $Message = "Username: " + [Security.Principal.WindowsIdentity]::GetCurrent().Name Write-ProtocolEntry -Text $Message -LogLevel "Notime" $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") - $Message = "Is Admin: "+$IsAdmin + $Message = "Is Admin: " + $IsAdmin Write-ProtocolEntry -Text $Message -LogLevel "Notime" # # Start Config/Audit mode # The processing is done per category of the finding list. # The finding list defines which module is used and the arguments and recommended values for the test. - # + # If ($Mode -eq "Audit" -or $Mode -eq "Config") { # A CSV finding list is imported. HardeningKitty has one machine and one user list. If ($FileFindingList.Length -eq 0) { $CurrentLocation = Get-Location - $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" + $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" If (Test-Path -Path $DefaultList) { $FileFindingList = $DefaultList @@ -726,14 +727,14 @@ # Reset # $Result = "" - + # # Category # If ($LastCategory -ne $Finding.Category) { $Message = "Starting Category " + $Finding.Category - Write-Output "`n" + Write-Output "`n" Write-ProtocolEntry -Text $Message -LogLevel "Info" $LastCategory = $Finding.Category } @@ -746,7 +747,7 @@ If ($Finding.Method -eq 'Registry') { If (Test-Path -Path $Finding.RegistryPath) { - + try { $Result = Get-ItemPropertyValue -Path $Finding.RegistryPath -Name $Finding.RegistryItem } catch { @@ -761,19 +762,19 @@ # Get secedit policy # Secedit configures and analyzes system security, results are written # to a file, which means HardeningKitty must create a temporary file - # and afterwards delete it. HardeningKitty is very orderly. + # and afterwards delete it. HardeningKitty is very orderly. # ElseIf ($Finding.Method -eq 'secedit') { # Check if Secedit binary is available, skip test if not If (-Not (Test-Path $BinarySecedit)) { - Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinarySecedit -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -781,7 +782,7 @@ $Area = ""; - Switch($Finding.Category) { + Switch ($Finding.Category) { "Account Policies" { $Area = "SECURITYPOLICY"; Break } "Security Options" { $Area = "SECURITYPOLICY"; Break } } @@ -792,7 +793,7 @@ $Value = Get-HashtableValueDeep $Data $Finding.MethodArgument - if($null -eq $Value) { + if ($null -eq $Value) { $Result = $null } else { $Result = $Value -as [int] @@ -809,11 +810,11 @@ ElseIf ($Finding.Method -eq 'RegistryList') { If (Test-Path -Path $Finding.RegistryPath) { - + try { $ResultList = Get-ItemProperty -Path $Finding.RegistryPath - If ($ResultList | Where-Object { $_ -like "*"+$Finding.RegistryItem+"*" }) { + If ($ResultList | Where-Object { $_ -like "*" + $Finding.RegistryItem + "*" }) { $Result = $Finding.RegistryItem } Else { $Result = "Not found" @@ -826,7 +827,7 @@ $Result = $Finding.DefaultValue } } - + # # Get Audit Policy # The output of auditpol.exe is parsed and will be evaluated later. @@ -837,13 +838,13 @@ # Check if Auditpol binary is available, skip test if not If (-Not (Test-Path $BinaryAuditpol)) { - Write-BinaryError $BinaryAuditpol $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinaryAuditpol -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -851,21 +852,21 @@ $SubCategory = $Finding.MethodArgument - # auditpol.exe does not write a backup in an existing file, so we have to build a name instead of create one - $TempFileName = [System.IO.Path]::GetTempPath()+"HardeningKitty_auditpol-"+$(Get-Date -Format yyyyMMdd-HHmmss)+".csv" + # auditpol.exe does not write a backup in an existing file, so we have to build a name instead of create one + $TempFileName = [System.IO.Path]::GetTempPath() + "HardeningKitty_auditpol-" + $(Get-Date -Format yyyyMMdd-HHmmss) + ".csv" &$BinaryAuditpol /backup /file:$TempFileName > $null - $ResultOutputLoad = Get-Content $TempFileName - foreach ($line in $ResultOutputLoad){ + $ResultOutputLoad = Get-Content $TempFileName + foreach ($line in $ResultOutputLoad) { $table = $line.Split(",") - if ($table[3] -eq $SubCategory){ - + if ($table[3] -eq $SubCategory) { + # Translate setting value (works only for English list, so this is workaround) Switch ($table[6]) { - "0" { $Result = "No Auditing"; Break} - "1" { $Result = "Success"; Break} - "2" { $Result = "Failure"; Break} - "3" { $Result = "Success and Failure"; Break} + "0" { $Result = "No Auditing"; Break } + "1" { $Result = "Success"; Break } + "2" { $Result = "Failure"; Break } + "3" { $Result = "Success and Failure"; Break } } } } @@ -873,7 +874,7 @@ # House cleaning Remove-Item $TempFileName Clear-Variable -Name ("ResultOutputLoad", "table") - + } catch { $Result = $Finding.DefaultValue } @@ -889,25 +890,25 @@ # Check if net binary is available, skip test if not If (-Not (Test-Path $BinaryNet)) { - Write-BinaryError $BinaryNet $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinaryNet -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } try { - + $ResultOutput = &$BinaryNet accounts # "Parse" account policy Switch ($Finding.Name) { - "Force user logoff how long after time expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Network security: Force logoff when logon hours expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Minimum password age" { $ResultOutput[1] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Maximum password age" { $ResultOutput[2] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Minimum password length" { $ResultOutput[3] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Length of password history maintained" { $ResultOutput[4] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Account lockout threshold" { $ResultOutput[5] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Account lockout duration" { $ResultOutput[6] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} - "Reset account lockout counter" { $ResultOutput[7] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result=$Matches[2]; Break} + "Force user logoff how long after time expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Network security: Force logoff when logon hours expires" { $ResultOutput[0] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Minimum password age" { $ResultOutput[1] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Maximum password age" { $ResultOutput[2] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Minimum password length" { $ResultOutput[3] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Length of password history maintained" { $ResultOutput[4] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Account lockout threshold" { $ResultOutput[5] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Account lockout duration" { $ResultOutput[6] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } + "Reset account lockout counter" { $ResultOutput[7] -match '([a-zA-Z:, /-]+) ([a-z0-9, ]+)' | Out-Null; $Result = $Matches[2]; Break } } } catch { @@ -929,16 +930,14 @@ $ComputerSid = ((Get-LocalUser | Select-Object -First 1).SID).AccountDomainSID.ToString() # Get User Status - $Sid = $ComputerSid+"-"+$Finding.MethodArgument + $Sid = $ComputerSid + "-" + $Finding.MethodArgument $ResultOutput = Get-LocalUser -SID $Sid - If ($Finding.Name.Contains("account status")){ + If ($Finding.Name.Contains("account status")) { $Result = $ResultOutput.Enabled - } - ElseIf ($Finding.Name.Contains("Rename")) { + } ElseIf ($Finding.Name.Contains("Rename")) { $Result = $ResultOutput.Name - } - Else { + } Else { $Result = $Finding.DefaultValue } @@ -955,42 +954,41 @@ # # Secedit configures and analyzes system security, results are written # to a file, which means HardeningKitty must create a temporary file - # and afterwards delete it. HardeningKitty is very orderly. + # and afterwards delete it. HardeningKitty is very orderly. # ElseIf ($Finding.Method -eq 'accesschk') { # Check if Secedit binary is available, skip test if not If (-Not (Test-Path $BinarySecedit)) { - Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinarySecedit -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } $TempFileName = [System.IO.Path]::GetTempFileName() - try { - + try { + &$BinarySecedit /export /cfg $TempFileName /areas USER_RIGHTS | Out-Null $ResultOutputRaw = Get-Content -Encoding unicode $TempFileName | Select-String $Finding.MethodArgument If ($null -eq $ResultOutputRaw) { $Result = "" - } - Else { + } Else { $ResultOutputList = $ResultOutputRaw.ToString().split("=").Trim() - $Result = $ResultOutputList[1] -Replace "\*","" - $Result = $Result -Replace ",",";" + $Result = $ResultOutputList[1] -Replace "\*", "" + $Result = $Result -Replace ",", ";" } } catch { # If secedit did not work, throw an error instead of using the DefaultValue $Script:StatsError++ - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", secedit.exe could not read the configuration. Test skipped." + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", secedit.exe could not read the configuration. Test skipped." Write-ProtocolEntry -Text $Message -LogLevel "Error" Continue } @@ -1006,13 +1004,13 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } try { - $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument + $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument $Result = $ResultOutput.State } catch { @@ -1032,7 +1030,7 @@ $ResultList = Get-CimInstance -ClassName $Finding.ClassName -Namespace $Finding.Namespace $Property = $Finding.Property - If ($ResultList.$Property | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" }) { + If ($ResultList.$Property | Where-Object { $_ -like "*" + $Finding.RecommendedValue + "*" }) { $Result = $Finding.RecommendedValue } Else { $Result = "Not available" @@ -1052,7 +1050,7 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -1060,7 +1058,7 @@ $ResultOutput = Get-BitLockerVolume -MountPoint C: If ($ResultOutput.VolumeType -eq 'OperatingSystem') { - $ResultArgument = $Finding.MethodArgument + $ResultArgument = $Finding.MethodArgument $Result = $ResultOutput.$ResultArgument } Else { $Result = "Manual check required" @@ -1079,7 +1077,7 @@ try { - $ResultOutput = $ExecutionContext.SessionState.LanguageMode + $ResultOutput = $ExecutionContext.SessionState.LanguageMode $Result = $ResultOutput } catch { @@ -1097,7 +1095,7 @@ try { $ResultOutput = Get-MpPreference - $ResultArgument = $Finding.MethodArgument + $ResultArgument = $Finding.MethodArgument $Result = $ResultOutput.$ResultArgument } catch { @@ -1144,9 +1142,9 @@ # Check if the user has admin rights, skip test if not # Normal users are not allowed to get exclusions If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue - } + } try { @@ -1155,15 +1153,15 @@ $ResultExclusions = $ResultOutput.$ExclusionType ForEach ($Exclusion in $ResultExclusions) { - $Result += $Exclusion+";" + $Result += $Exclusion + ";" } # Remove last character - $Result = $Result -replace “.$” + $Result = $Result -replace ".$" } catch { $Result = $Finding.DefaultValue } - } + } # # Exploit protection (System) @@ -1174,9 +1172,9 @@ # ElseIf ($Finding.Method -eq 'Processmitigation') { - try { + try { - $ResultOutput = Get-Processmitigation -System + $ResultOutput = Get-ProcessMitigation -System $ResultArgumentArray = $Finding.MethodArgument.Split(".") $ResultArgument0 = $ResultArgumentArray[0] $ResultArgument1 = $ResultArgumentArray[1] @@ -1196,10 +1194,10 @@ # ElseIf ($Finding.Method -eq 'ProcessmitigationApplication') { - try { + try { $ResultArgumentArray = $Finding.MethodArgument.Split("/") - $ResultOutput = Get-Processmitigation -Name $ResultArgumentArray[0] + $ResultOutput = Get-ProcessMitigation -Name $ResultArgumentArray[0] $ResultArgument0 = $ResultArgumentArray[1] $ResultArgument1 = $ResultArgumentArray[2] $Result = $ResultOutput.$ResultArgument0.$ResultArgument1 @@ -1207,7 +1205,7 @@ } catch { $Result = $Finding.DefaultValue } - } + } # # bcdedit @@ -1217,20 +1215,20 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if Bcdedit binary is available, skip test if not If (-Not (Test-Path $BinaryBcdedit)) { - Write-BinaryError $BinaryBcdedit $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinaryBcdedit -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } try { $ResultOutput = &$BinaryBcdedit - $ResultOutput = $ResultOutput | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" } + $ResultOutput = $ResultOutput | Where-Object { $_ -like "*" + $Finding.RecommendedValue + "*" } If ($ResultOutput -match ' ([a-z,A-Z]+)') { $Result = $Matches[1] @@ -1299,15 +1297,15 @@ # SID Translation ForEach ($AccountName in $ListRecommended) { $AccountSid = Translate-SidFromWellkownAccount -AccountName $AccountName - $ListRecommendedSid += $AccountSid + $ListRecommendedSid += $AccountSid } # Sort SID List $ListRecommendedSid = $ListRecommendedSid | Sort-Object - + # Build String ForEach ($AccountName in $ListRecommendedSid) { - [String] $RecommendedValueSid += $AccountName+";" - } + [String] $RecommendedValueSid += $AccountName + ";" + } $RecommendedValueSid = $RecommendedValueSid -replace ".$" $Finding.RecommendedValue = $RecommendedValueSid @@ -1315,29 +1313,30 @@ } } - # + # # Exception handling for special registry keys # Machine => Network access: Remotely accessible registry paths - # Hardened UNC Paths => Remove spaces in result and recommendation + # Hardened UNC Paths => Remove spaces in result and recommendation only if result is not null or empty # - If ($Finding.Method -eq 'Registry' -and $Finding.RegistryItem -eq "Machine"){ - $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(";"," ") - } - ElseIf ($Finding.Method -eq 'Registry' -and $Finding.RegistryPath -eq "HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths") { - $Result = $Result.Replace(" ","") - $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(" ","") - } - + If ($Finding.Method -eq 'Registry' -and $Finding.RegistryItem -eq "Machine") { + $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(";", " ") + } ElseIf ($Finding.Method -eq 'Registry' -and $Finding.RegistryPath -eq "HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths") { + If (![string]::IsNullOrEmpty($Result)) { + $Result = $Result.Replace(" ", "") + } + $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(" ", "") + } + $ResultPassed = $false - Switch($Finding.Operator) { + Switch ($Finding.Operator) { - "=" { If ([string] $Result -eq $Finding.RecommendedValue) { $ResultPassed = $true }; Break} - "<=" { try { If ([int]$Result -le [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - "<=!0" { try { If ([int]$Result -le [int]$Finding.RecommendedValue -and [int]$Result -ne 0) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - ">=" { try { If ([int]$Result -ge [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} - "contains" { If ($Result.Contains($Finding.RecommendedValue)) { $ResultPassed = $true }; Break} - "!=" { If ([string] $Result -ne $Finding.RecommendedValue) { $ResultPassed = $true }; Break} - "=|0" { try { If ([string]$Result -eq $Finding.RecommendedValue -or $Result.Length -eq 0) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} + "=" { If ([string] $Result -eq $Finding.RecommendedValue) { $ResultPassed = $true }; Break } + "<=" { try { If ([int]$Result -le [int]$Finding.RecommendedValue) { $ResultPassed = $true } } catch { $ResultPassed = $false }; Break } + "<=!0" { try { If ([int]$Result -le [int]$Finding.RecommendedValue -and [int]$Result -ne 0) { $ResultPassed = $true } } catch { $ResultPassed = $false }; Break } + ">=" { try { If ([int]$Result -ge [int]$Finding.RecommendedValue) { $ResultPassed = $true } } catch { $ResultPassed = $false }; Break } + "contains" { If ($Result.Contains($Finding.RecommendedValue)) { $ResultPassed = $true }; Break } + "!=" { If ([string] $Result -ne $Finding.RecommendedValue) { $ResultPassed = $true }; Break } + "=|0" { try { If ([string]$Result -eq $Finding.RecommendedValue -or $Result.Length -eq 0) { $ResultPassed = $true } } catch { $ResultPassed = $false }; Break } } # @@ -1351,20 +1350,21 @@ $ListResult = $Result.Split(";") ForEach ($AccountSid in $ListResult) { $AccountName = Get-AccountFromSid -AccountSid $AccountSid - [String] $ResultName += $AccountName.Trim()+";" + [String] $ResultName += $AccountName.Trim() + ";" } $ResultName = $ResultName -replace ".$" $Result = $ResultName Clear-Variable -Name ("ResultName") } - + $Finding.RecommendedValue = $SaveRecommendedValue - } + } If ($ResultPassed) { # Passed - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Severity=Passed" + $TestResult = "Passed" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", Result=$Result, Recommended=" + $Finding.RecommendedValue + ", Severity=Passed" Write-ResultEntry -Text $Message -SeverityLevel "Passed" If ($Log) { @@ -1372,7 +1372,7 @@ } If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","Passed","'+$Result+'"' + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","Passed","' + $Result + '","' + $Finding.RecommendedValue + '","' + $TestResult + '","' + $Finding.Severity + '"' Add-MessageToFile -Text $Message -File $ReportFile } @@ -1382,11 +1382,11 @@ } Else { # Failed + $TestResult = "Failed" If ($Finding.Operator -eq "!=") { - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Recommended=Not "+$Finding.RecommendedValue+", Severity="+$Finding.Severity - } - Else { - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", Result=$Result, Recommended="+$Finding.RecommendedValue+", Severity="+$Finding.Severity + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", Result=$Result, Recommended=Not " + $Finding.RecommendedValue + ", Severity=" + $Finding.Severity + } Else { + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", Result=$Result, Recommended=" + $Finding.RecommendedValue + ", Severity=" + $Finding.Severity } Write-ResultEntry -Text $Message -SeverityLevel $Finding.Severity @@ -1396,41 +1396,40 @@ } If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$Finding.Severity+'","'+$Result+'","'+$Finding.RecommendedValue+'"' + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $Finding.Severity + '","' + $Result + '","' + $Finding.RecommendedValue + '","' + $TestResult + '","' + $Finding.Severity + '"' Add-MessageToFile -Text $Message -File $ReportFile } # Increment Counter - Switch($Finding.Severity) { + Switch ($Finding.Severity) { - "Low" { $StatsLow++; Break} - "Medium" { $StatsMedium++; Break} - "High" { $StatsHigh++; Break} + "Low" { $StatsLow++; Break } + "Medium" { $StatsMedium++; Break } + "High" { $StatsHigh++; Break } } } - # - # Only return received value - # + # + # Only return received value + # } Elseif ($Mode -eq "Config") { - $Message = "ID "+$Finding.ID+"; "+$Finding.Name+"; Result=$Result" + $Message = "ID " + $Finding.ID + "; " + $Finding.Name + "; Result=$Result" Write-ResultEntry -Text $Message If ($Log) { Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'",,"'+$Result+'",'+$Finding.RecommendedValue + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '",,"' + $Result + '",' + $Finding.RecommendedValue + ',,' Add-MessageToFile -Text $Message -File $ReportFile } If ($Backup) { - $Message = '"'+$Finding.ID+'","'+$Finding.Category+'","'+$Finding.Name+'","'+$Finding.Method+'","'+$Finding.MethodArgument+'","'+$Finding.RegistryPath+'","'+$Finding.RegistryItem+'","'+$Finding.ClassName+'","'+$Finding.Namespace+'","'+$Finding.Property+'","'+$Finding.DefaultValue+'","'+$Result+'","'+$Finding.Operator+'","'+$Finding.Severity+'",' + $Message = '"' + $Finding.ID + '","' + $Finding.Category + '","' + $Finding.Name + '","' + $Finding.Method + '","' + $Finding.MethodArgument + '","' + $Finding.RegistryPath + '","' + $Finding.RegistryItem + '","' + $Finding.ClassName + '","' + $Finding.Namespace + '","' + $Finding.Property + '","' + $Finding.DefaultValue + '","' + $Result + '","' + $Finding.Operator + '","' + $Finding.Severity + '",' Add-MessageToFile -Text $Message -File $BackupFile } } } - } # @@ -1439,13 +1438,13 @@ # Even though HardeningKitty works very carefully, please only # use HailyMary if you know what you are doing. # - Elseif ($Mode = "HailMary") { + Elseif ($Mode -eq "HailMary") { # A CSV finding list is imported If ($FileFindingList.Length -eq 0) { $CurrentLocation = Get-Location - $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" + $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" If (Test-Path -Path $DefaultList) { $FileFindingList = $DefaultList @@ -1453,7 +1452,7 @@ $Message = "The finding list $DefaultList was not found." Write-ProtocolEntry -Text $Message -LogLevel "Error" Continue - } + } } $FindingList = Import-Csv -Path $FileFindingList -Delimiter "," @@ -1469,7 +1468,7 @@ If ($LastCategory -ne $Finding.Category) { $Message = "Starting Category " + $Finding.Category - Write-Output "`n" + Write-Output "`n" Write-ProtocolEntry -Text $Message -LogLevel "Info" $LastCategory = $Finding.Category } @@ -1479,10 +1478,10 @@ # Create or modify a registry value. # If ($Finding.Method -eq 'Registry' -or $Finding.Method -eq 'RegistryList') { - + # Check if the user has admin rights, skip test if not If (-not($IsAdmin) -and -not($Finding.RegistryPath.StartsWith("HKCU:\"))) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -1506,25 +1505,41 @@ } ElseIf ($Finding.RegistryItem -eq "Machine") { $RegType = "MultiString" $Finding.RecommendedValue = $Finding.RecommendedValue -split ";" - } - ElseIf ($Finding.RecommendedValue -match "^\d+$") { - $RegType = "DWord" + } ElseIf ($Finding.RecommendedValue -match "^\d+$") { + $RegType = "DWord" } - if(!(Test-Path $Finding.RegistryPath)) { + if (!(Test-Path $Finding.RegistryPath)) { $Result = New-Item $Finding.RegistryPath -Force; - - if($Result) { - $ResultText = "Registry key created" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", " + $ResultText + + If ($Result) { + $ResultText = "Registry key created" + $Message = "ID " + $Finding.ID + ", " + $Finding.RegistryPath + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } else { - $ResultText = "Failed to create registry key" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", " + $ResultText + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } + + } Else { + $ResultText = "Failed to create registry key" + $Message = "ID " + $Finding.ID + ", " + $Finding.RegistryPath + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Continue } } @@ -1538,42 +1553,49 @@ $ResultList = Get-ItemProperty -Path $Finding.RegistryPath $ResultListCounter = 0 - If ($ResultList | Where-Object { $_ -like "*"+$Finding.RegistryItem+"*" }) { + If ($ResultList | Where-Object { $_ -like "*" + $Finding.RegistryItem + "*" }) { $ResultList.PSObject.Properties | ForEach-Object { If ( $_.Value -eq $Finding.RegistryItem ) { $Finding.RegistryItem = $_.Value.Name Continue } } - } - Else { + } Else { $ResultList.PSObject.Properties | ForEach-Object { $ResultListCounter++ } } If ($ResultListCounter -eq 0) { $Finding.RegistryItem = 1 - } - Else { + } Else { $Finding.RegistryItem = $ResultListCounter - 4 } } - $Result = Set-Itemproperty -PassThru -Path $Finding.RegistryPath -Name $Finding.RegistryItem -Type $RegType -Value $Finding.RecommendedValue + $Result = Set-ItemProperty -PassThru -Path $Finding.RegistryPath -Name $Finding.RegistryItem -Type $RegType -Value $Finding.RecommendedValue - if($Result) { - $ResultText = "Registry value created/modified" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", "+$Finding.RegistryItem+", " + $ResultText + if ($Result) { + $ResultText = "Registry value created/modified" + $Message = "ID " + $Finding.ID + ", " + $Finding.RegistryPath + ", " + $Finding.RegistryItem + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } else { - $ResultText = "Failed to create registry value" - $Message = "ID "+$Finding.ID+", "+$Finding.RegistryPath+", "+$Finding.RegistryItem+", " + $ResultText + $ResultText = "Failed to create registry value" + $Message = "ID " + $Finding.ID + ", " + $Finding.RegistryPath + ", " + $Finding.RegistryItem + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } - + # # secedit # Set a security policy @@ -1582,19 +1604,19 @@ # Check if Secedit binary is available, skip test if not If (-Not (Test-Path $BinarySecedit)) { - Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinarySecedit -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } $Area = ""; - Switch($Finding.Category) { + Switch ($Finding.Category) { "Account Policies" { $Area = "SECURITYPOLICY"; Break } "Security Options" { $Area = "SECURITYPOLICY"; Break } } @@ -1606,45 +1628,77 @@ $Data = Get-IniContent $TempFileName - Set-HashtableValueDeep $Data $Finding.MethodArgument $Finding.RecommendedValue + Set-HashtableValueDeep -Table $Data -Path $Finding.MethodArgument -Value $Finding.RecommendedValue - Out-IniFile $Data $TempFileName unicode $true + Out-IniFile -InputObject $Data -FilePath $TempFileName -Encoding Unicode &$BinarySecedit /import /cfg $TempFileName /overwrite /areas $Area /db $TempDbFileName /quiet | Out-Null - if($LastExitCode -ne 0) { + if ($LastExitCode -ne 0) { $ResultText = "Failed to import security policy into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Remove-Item $TempFileName Remove-Item $TempDbFileName Continue } $ResultText = "Imported security policy into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas SECURITYPOLICY /quiet | Out-Null - if($LastExitCode -ne 0) { + if ($LastExitCode -ne 0) { $ResultText = "Failed to configure security policy" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Remove-Item $TempFileName Remove-Item $TempDbFileName Continue } $ResultText = "Configured security policy" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Remove-Item $TempFileName Remove-Item $TempDbFileName @@ -1658,34 +1712,43 @@ # Check if Auditpol binary is available, skip test if not If (-Not (Test-Path $BinaryAuditpol)) { - Write-BinaryError $BinaryAuditpol $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinaryAuditpol -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } - $Success = if($Finding.RecommendedValue -ilike "*success*") {"enable"} else {"disable"} - $Failure = if($Finding.RecommendedValue -ilike "*failure*") {"enable"} else {"disable"} + $Success = if ($Finding.RecommendedValue -ilike "*success*") { "enable" } else { "disable" } + $Failure = if ($Finding.RecommendedValue -ilike "*failure*") { "enable" } else { "disable" } $SubCategory = $Finding.MethodArgument &$BinaryAuditpol /set /subcategory:"$($SubCategory)" /success:$($Success) /failure:$($Failure) | Out-Null - if($LastExitCode -eq 0) { - $ResultText = "Audit policy set" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + if ($LastExitCode -eq 0) { + $ResultText = "Audit policy set" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } else { - $ResultText = "Failed to set audit policy" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + $ResultText = "Failed to set audit policy" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } # @@ -1696,13 +1759,13 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if net binary is available, skip test if not If (-Not (Test-Path $BinaryNet)) { - Write-BinaryError $BinaryNet $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinaryNet -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -1721,17 +1784,26 @@ &$BinaryNet accounts $Sw | Out-Null - if($LastExitCode -eq 0) { - $ResultText = "Account policy set" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + if ($LastExitCode -eq 0) { + $ResultText = "Account policy set" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } else { - $ResultText = "Failed to set account policy" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.RecommendedValue+", " + $ResultText + $ResultText = "Failed to set account policy" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } # @@ -1742,13 +1814,13 @@ # Check if Secedit binary is available, skip test if not If (-Not (Test-Path $BinarySecedit)) { - Write-BinaryError $BinarySecedit $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinarySecedit -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -1757,11 +1829,11 @@ &$BinarySecedit /export /cfg $TempFileName /areas USER_RIGHTS | Out-Null - if($Finding.RecommendedValue -eq "") { + if ($Finding.RecommendedValue -eq "") { (Get-Content -Encoding unicode $TempFileName) -replace "$($Finding.MethodArgument).*", "$($Finding.MethodArgument) = " | Out-File $TempFileName } else { $ListTranslated = @() - $Finding.RecommendedValue -split ';'| Where-Object { + $Finding.RecommendedValue -split ';' | Where-Object { # Get SID to translate the account name $AccountSid = Translate-SidFromWellkownAccount -AccountName $_ # Get account name from system with SID (local translation) @@ -1769,27 +1841,27 @@ $ListTranslated += $AccountName } - # If User Right Assignment exists, replace values - If ( ((Get-Content -Encoding unicode $TempFileName) | Select-String $($Finding.MethodArgument)).Count -gt 0 ) { + # If User Right Assignment exists, replace values + If ( ((Get-Content -Encoding unicode $TempFileName) | Select-String $($Finding.MethodArgument)).Count -gt 0 ) { (Get-Content -Encoding unicode $TempFileName) -replace "$($Finding.MethodArgument).*", "$($Finding.MethodArgument) = $($ListTranslated -join ',')" | Out-File $TempFileName - } - # If it does not exist, add a new entry into the file at the right position - Else { + } + # If it does not exist, add a new entry into the file at the right position + Else { $TempFileContent = Get-Content -Encoding unicode $TempFileName $LineNumber = $TempFileContent.Count - $TempFileContent[$LineNumber-3] = "$($Finding.MethodArgument) = $($ListTranslated -join ',')" - $TempFileContent[$LineNumber-2] = "[Version]" - $TempFileContent[$LineNumber-1] = 'signature="$CHICAGO$"' + $TempFileContent[$LineNumber - 3] = "$($Finding.MethodArgument) = $($ListTranslated -join ',')" + $TempFileContent[$LineNumber - 2] = "[Version]" + $TempFileContent[$LineNumber - 1] = 'signature="$CHICAGO$"' $TempFileContent += "Revision=1" $TempFileContent | Set-Content -Encoding unicode $TempFileName - } + } } &$BinarySecedit /import /cfg $TempFileName /overwrite /areas USER_RIGHTS /db $TempDbFileName /quiet | Out-Null - if($LastExitCode -ne 0) { - $ResultText = "Failed to import user right assignment into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + if ($LastExitCode -ne 0) { + $ResultText = "Failed to import user right assignment into temporary database" + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "High" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity Remove-Item $TempFileName @@ -1797,34 +1869,58 @@ Continue } - $ResultText = "Imported user right assignment into temporary database" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $ResultText = "Imported user right assignment into temporary database" + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas USER_RIGHTS /quiet | Out-Null - if($LastExitCode -ne 0) { + if ($LastExitCode -ne 0) { $ResultText = "Failed to configure system user right assignment" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Remove-Item $TempFileName Remove-Item $TempDbFileName Continue } $ResultText = "Configured system user right assignment" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", "+$Finding.RecommendedValue+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $Finding.RecommendedValue + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Remove-Item $TempFileName Remove-Item $TempDbFileName } - + # # WindowsOptionalFeature # Install / Remove a Windows feature @@ -1833,7 +1929,7 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } @@ -1842,13 +1938,21 @@ # it is missing and should be installed # try { - $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument + $ResultOutput = Get-WindowsOptionalFeature -Online -FeatureName $Finding.MethodArgument $Result = $ResultOutput.State } catch { $ResultText = "Could not check status" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Continue } @@ -1856,61 +1960,77 @@ If ($Result -eq "Enabled" -and $Finding.RecommendedValue -eq "Disabled") { try { - $Result = Disable-WindowsOptionalFeature -NoRestart -Online -FeatureName $Finding.MethodArgument + $Result = Disable-WindowsOptionalFeature -NoRestart -Online -FeatureName $Finding.MethodArgument } catch { $ResultText = "Could not be removed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Continue } - $ResultText = "Feature removed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Feature removed" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" } # No changes required ElseIf ($Result -eq "Disabled" -and $Finding.RecommendedValue -eq "Disabled") { - $ResultText = "Feature is not installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Feature is not installed" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" } # Feature will be installed, a reboot will be suppressed ElseIf ($Result -eq "Disabled" -and $Finding.RecommendedValue -eq "Enabled") { try { - $Result = Enable-WindowsOptionalFeature -NoRestart -Online -FeatureName $Finding.MethodArgument + $Result = Enable-WindowsOptionalFeature -NoRestart -Online -FeatureName $Finding.MethodArgument } catch { $ResultText = "Could not be installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } Continue } - $ResultText = "Feature installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Feature installed" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } # No changes required ElseIf ($Result -eq "Enabled" -and $Finding.RecommendedValue -eq "Enabled") { - $ResultText = "Feature is already installed" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Feature is already installed" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" - } + $TestResult = "Passed" + } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - If ($Log) { Add-MessageToFile -Text $Message -File $LogFile } - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' Add-MessageToFile -Text $Message -File $ReportFile - } + } } - + # # MpPreference # Set a Windows Defender policy @@ -1919,35 +2039,47 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } $ResultMethodArgument = $Finding.MethodArgument $ResultRecommendedValue = $Finding.RecommendedValue - Switch($ResultRecommendedValue) { + Switch ($ResultRecommendedValue) { "True" { $ResultRecommendedValue = 1; Break } "False" { $ResultRecommendedValue = 0; Break } } - $ResultCommand = "Set-MpPreference -$ResultMethodArgument $ResultRecommendedValue" + # Build a hashtable MpPreferenceArgs for splatting arguments to Set-MpPreference. See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_splatting + $MpPreferenceArgs = @{ + $ResultMethodArgument = $ResultRecommendedValue + } - $Result = Invoke-Expression $ResultCommand + Set-MpPreference @MpPreferenceArgs - if($LastExitCode -eq 0) { + if ($?) { $ResultText = "Method value modified" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } else { $ResultText = "Failed to change Method value" - $Message = "ID "+$Finding.ID+", "+$Finding.MethodArgument+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.MethodArgument + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Passed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } - + # # Microsoft Defender Preferences - Attack surface reduction rules (ASR rules) # The values are saved from a PowerShell function into an object. @@ -1957,32 +2089,46 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } $ResultMethodArgument = $Finding.MethodArgument $ResultRecommendedValue = $Finding.RecommendedValue - - Switch($ResultRecommendedValue) { + + Switch ($ResultRecommendedValue) { "True" { $ResultRecommendedValue = 1; Break } "False" { $ResultRecommendedValue = 0; Break } } - $ResultCommand = "Add-MpPreference -AttackSurfaceReductionRules_Ids $ResultMethodArgument -AttackSurfaceReductionRules_Actions $ResultRecommendedValue" - $Result = Invoke-Expression $ResultCommand + # Build a hashtable MpPreferenceArgs for splatting arguments to Set-MpPreference. See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_splatting + $MpPreferenceArgs = @{ + AttackSurfaceReductionRules_Ids = $ResultMethodArgument + AttackSurfaceReductionRules_Actions = $ResultRecommendedValue + } - if($LastExitCode -eq 0) { + Add-MpPreference @MpPreferenceArgs + + if ($?) { $ResultText = "ASR rule added to list" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.MethodArgument+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $Finding.MethodArgument + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } else { $ResultText = "Failed to add ASR rule" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", "+$Finding.MethodArgument+", " + $ResultText + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $Finding.MethodArgument + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } # @@ -1997,36 +2143,41 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } - $SettingArgumentArray = $Finding.MethodArgument.Split(".") + $SettingArgumentArray = $Finding.MethodArgument.Split(".") If ( $Finding.RecommendedValue -eq "ON") { If ( $SettingArgumentArray[1] -eq "Enable" ) { $ProcessmitigationEnableArray += $SettingArgumentArray[0] - } Else { + } Else { $ProcessmitigationEnableArray += $SettingArgumentArray[1] - } - } - ElseIf ( $Finding.RecommendedValue -eq "OFF") { + } + } ElseIf ( $Finding.RecommendedValue -eq "OFF") { If ($SettingArgumentArray[1] -eq "TelemetryOnly") { $ProcessmitigationDisableArray += "SEHOPTelemetry" - } - ElseIf ( $SettingArgumentArray[1] -eq "Enable" ) { + } ElseIf ( $SettingArgumentArray[1] -eq "Enable" ) { $ProcessmitigationDisableArray += $SettingArgumentArray[0] - } - Else { + } Else { $ProcessmitigationDisableArray += $SettingArgumentArray[1] } } - $ResultText = "setting added to list" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "setting added to list" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } # @@ -2037,20 +2188,20 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } # Check if Bcdedit binary is available, skip test if not If (-Not (Test-Path $BinaryBcdedit)) { - Write-BinaryError $BinaryBcdedit $Finding.ID $Finding.Name $Finding.Method + Write-BinaryError -Binary $BinaryBcdedit -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } try { $ResultOutput = &$BinaryBcdedit - $ResultOutput = $ResultOutput | Where-Object { $_ -like "*"+$Finding.RecommendedValue+"*" } + $ResultOutput = $ResultOutput | Where-Object { $_ -like "*" + $Finding.RecommendedValue + "*" } If ($ResultOutput -match ' ([a-z,A-Z]+)') { $Result = $Matches[1] @@ -2070,29 +2221,30 @@ } catch { - $ResultText = "Setting could not be enabled" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Setting could not be enabled" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" } - $ResultText = "Setting enabled. Please restart the system to activate it" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Setting enabled. Please restart the system to activate it" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } Else { - $ResultText = "Setting is already set correct" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Setting is already set correct" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - If ($Log) { Add-MessageToFile -Text $Message -File $LogFile } - If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' Add-MessageToFile -Text $Message -File $ReportFile } } @@ -2105,14 +2257,14 @@ # Check if the user has admin rights, skip test if not If (-not($IsAdmin)) { - Write-NotAdminError $Finding.ID $Finding.Name $Finding.Method + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method Continue } $FwRule = $Finding.MethodArgument $FwRuleArray = $FwRule.Split("|") - $FwDisplayName = $Finding.Name + $FwDisplayName = $Finding.Name $FwProfile = $FwRuleArray[0] $FwDirection = $FwRuleArray[1] $FwAction = $FwRuleArray[2] @@ -2136,30 +2288,30 @@ If ($FwProgram -eq "") { $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Protocol $FwProtocol -LocalPort $FwLocalPort - } - Else { + } Else { $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Program "$FwProgram" } If ($ResultRule.PrimaryStatus -eq "OK") { # Excellent - $ResultText = "Rule created" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Rule created" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" - } - Else { + $TestResult = "Passed" + } Else { # Bogus - $ResultText = "Rule not created" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Rule not created" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "High" + $TestResult = "Failed" } - } - Else { + } Else { # Excellent - $ResultText = "Rule already exists" - $Message = "ID "+$Finding.ID+", "+$Finding.Name+", " + $ResultText + $ResultText = "Rule already exists" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText $MessageSeverity = "Passed" + $TestResult = "Passed" } Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity @@ -2167,77 +2319,99 @@ If ($Log) { Add-MessageToFile -Text $Message -File $LogFile } - + If ($Report) { - $Message = '"'+$Finding.ID+'","'+$Finding.Name+'","'+$ResultText+'"' + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' Add-MessageToFile -Text $Message -File $ReportFile } } } - + # - # After all items of the checklist have been run through, the process mitigation settings can now be set... + # After all items of the checklist have been run through, the process mitigation settings can now be set... # If ( $ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -gt 0) { $ResultText = "Process mitigation settings set" - $MessageSeverity = "Passed" + $MessageSeverity = "Passed" + $TestResult = "Passed" try { - $Result = Set-Processmitigation -System -Enable $ProcessmitigationEnableArray -Disable $ProcessmitigationDisableArray - } - catch { + $Result = Set-ProcessMitigation -System -Enable $ProcessmitigationEnableArray -Disable $ProcessmitigationDisableArray + } catch { $ResultText = "Failed to set process mitigation settings" $MessageSeverity = "High" + $TestResult = "Failed" } $Message = "Starting Category Microsoft Defender Exploit Guard" - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + $Message = $ResultText Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - ElseIf ($ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -eq 0) { + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } + } ElseIf ($ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -eq 0) { $ResultText = "Process mitigation settings set" - $MessageSeverity = "Passed" + $MessageSeverity = "Passed" + $TestResult = "Passed" try { - $Result = Set-Processmitigation -System -Enable $ProcessmitigationEnableArray - } - catch { + $Result = Set-ProcessMitigation -System -Enable $ProcessmitigationEnableArray + } catch { $ResultText = "Failed to set process mitigation settings" $MessageSeverity = "High" + $TestResult = "Failed" } $Message = "Starting Category Microsoft Defender Exploit Guard" - Write-Output "`n" + Write-Output "`n" Write-ProtocolEntry -Text $Message -LogLevel "Info" - + $Message = $ResultText Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity - } - ElseIf ($ProcessmitigationEnableArray.Count -eq 0 -and $ProcessmitigationDisableArray.Count -gt 0) { + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } + } ElseIf ($ProcessmitigationEnableArray.Count -eq 0 -and $ProcessmitigationDisableArray.Count -gt 0) { $ResultText = "Process mitigation settings set" - $MessageSeverity = "Passed" + $MessageSeverity = "Passed" + $TestResult = "Passed" try { - $Result = Set-Processmitigation -System -Disable $ProcessmitigationDisableArray - } - catch { + $Result = Set-ProcessMitigation -System -Disable $ProcessmitigationDisableArray + } catch { $ResultText = "Failed to set process mitigation settings" $MessageSeverity = "High" + $TestResult = "Failed" } $Message = "Starting Category Microsoft Defender Exploit Guard" - Write-Output "`n" - Write-ProtocolEntry -Text $Message -LogLevel "Info" - + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + $Message = $ResultText Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + If ($Report) { + $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' + Add-MessageToFile -Text $Message -File $ReportFile + } } } - + Write-Output "`n" Write-ProtocolEntry -Text "HardeningKitty is done" -LogLevel "Info" @@ -2249,8 +2423,8 @@ $ScoreAchived = $StatsPassed * 4 + $StatsLow * 2 + $StatsMedium If ($ScoreTotal -ne 0 ) { $HardeningKittyScore = ([int] $ScoreAchived / [int] $ScoreTotal) * 5 + 1 - } - $HardeningKittyScoreRounded = [math]::round($HardeningKittyScore,2) + } + $HardeningKittyScoreRounded = [math]::round($HardeningKittyScore, 2) # Overwrite HardeningKitty Score if no finding is passed If ($StatsPassed -eq 0 ) { @@ -2260,7 +2434,7 @@ If ($Script:StatsError -gt 0) { Write-ProtocolEntry -Text "During the execution of HardeningKitty errors occurred due to missing admin rights or tools. For a complete result, these errors should be resolved. Total errors: $Script:StatsError" -LogLevel "Error" } - + Write-ProtocolEntry -Text "Your HardeningKitty score is: $HardeningKittyScoreRounded. HardeningKitty Statistics: Total checks: $StatsTotal - Passed: $StatsPassed, Low: $StatsLow, Medium: $StatsMedium, High: $StatsHigh." -LogLevel "Info" } Write-Output "`n" @@ -2269,8 +2443,8 @@ # SIG # Begin signature block # MIIgIgYJKoZIhvcNAQcCoIIgEzCCIA8CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR -# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU1/uwAydIi/rPLppZWf9ALC2b -# Syagghn0MIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B +# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUj8G/FpvpEYGAVC8JUvlKOoIa +# ZQygghn0MIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B # AQsFADCBkTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl # cjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx # NzA1BgNVBAMTLkNPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNp @@ -2414,29 +2588,29 @@ # TU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgQ0ECEHjt # WA31OLd9nVpoMAZGEhAwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAIoAKA # AKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO -# MAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFFCKbt4ZLGSGpxdSDRNAnZ+5 -# Ee7kMA0GCSqGSIb3DQEBAQUABIIBAGqdYDlT6e5qa3aj5sLFqCkIcn5VeUC5UnTh -# 85aRlA8e2mMWbgm55ftNzZ/Swu6HFMHwXIgUAxpLyu8PehFhEV20IIWi+BfTucKQ -# QEzEhZDCvTCN2zQgNWoolWQb8mbAZnHDexj0lGjuHmGtMSkW1gWaGnGs56etL0FW -# zk6Wn2oAs1v69+dWCBvxr2swVteghywyRVfzvo2yoNFs+7fPwLWYlS9EBh+i1j2+ -# Vx/8VTlWmBKKMyv9U6GrLPVQQCWR9S91qD46nOyqyeUcFka62TpKS7jQSeV0A4+d -# wDQ1F3mco/e+NYecb9s1Zy/NMOVlyxgq2r5YJQi/4knfJP+HKDOhggNMMIIDSAYJ +# MAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFH0PnhwfakDEsZAD7N4w8zpW +# zpalMA0GCSqGSIb3DQEBAQUABIIBAFf/MXcHYElXShM/Y78RQK9VLHM4FVFMN0sE +# 9vbrU1qEEBCPlYL5wvq5A7dYFSquzZ0B7Vl4BA8q4D6E77NsaD30v21CZlAZT9xw +# 0xpgEeavEBr3/Og1j+1/kP50LsEjfMo9eKSrwN8TWR3ml/m7BRS2M+XrwJVWNOYh +# qRCclFmRpgCxP3pVz7e5GIFXpk1YgTSdqLiPWO7g/n4lI8lC6+JxL0Jg3RTnIk/q +# 6cHGq0ZctDNWfoT5lBi2G5HAjsexv9lBKb4CNjjWI37rm5MqNW7rNGl0QUu39vDt +# ZQ/rl5ECA7MX1xXniLUDj2v54Za9JDD6WXa/67ga5O3/EzPkq/qhggNMMIIDSAYJ # KoZIhvcNAQkGMYIDOTCCAzUCAQEwgZIwfTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT # EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMP # U2VjdGlnbyBMaW1pdGVkMSUwIwYDVQQDExxTZWN0aWdvIFJTQSBUaW1lIFN0YW1w # aW5nIENBAhEAkDl/mtJKOhPyvZFfCDipQzANBglghkgBZQMEAgIFAKB5MBgGCSqG -# SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDYzMDA1NDgz -# N1owPwYJKoZIhvcNAQkEMTIEMGL06yR2zyw7xueY65D37QTQnYpBwqdKDZGG8asK -# uuuhd5nAKov197FNH6s+neS+izANBgkqhkiG9w0BAQEFAASCAgB79n3BmJZYNJ7k -# xKOjcd6LWRSsXL8pbTbMtiqcUpgBd6ivf7hd1uT5QrtVMtI6mYrmEOz2xSu0lqzD -# PVb5pdFcERWO3etYo+mQre2lR0cegqBFZzGxbAzd4la4/wf9abpZIqy+u7JGJDAV -# FAUVKEBD1BZ7Y/K1sK+V5vwNZ9DHbZSnKx8UzFAaRV+Mb5wMXLanO3yJSQkFMfva -# ZUtMNttDzZeiVUtqKxA3sL7hBOkPhh6nbemMcFmFrr4fJYtbWFF68Xx3u79w48wX -# JBU6isSe2VBM36AYcMb/5YYWU+z2ZOhIpCBqFg+G8UBIciX9++/OyjbIdi9EXlzF -# AXla2ZAfnWP2o/Rlrv43BZGlxO2HesZGrBY3EP3JJNoYeeZ/3Fo6Xa0tnFIDUjvr -# PlLw8pn2nKdsFm1FUYs+I3H3xsnGbFKHY6fdZ/hjQnRPdBhZXuWcjEwFlx1UgmF/ -# y0CcHq70qWnjbBevUWWLApW6Uo7mZC/ZYCLKGX8d7guMy67E+N4T9y8R6GeOlrQX -# Cbn98VxK5F70laZRC85qphYJkT5v5eBVNfxpsejou+fCNxCMsuC36xsD6jY5SbUh -# m8G23AGb9aF7SHOvZVUAHBEE0gYfpf6d0PfKHj0icmO02kc3PQXJFyEA3Z0D2KoV -# vBB185B7ZcDcjtCYcronoWBgA13ddQ== +# SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDgzMTA1MTE0 +# N1owPwYJKoZIhvcNAQkEMTIEMB5zlCu07ibMxSz5RLRuMt5abDCmf8BafavXyJVy +# QklxZx5xXTuJa7mlwN0+ZpR0cTANBgkqhkiG9w0BAQEFAASCAgAChDNq5KDqR0SA +# ZtY2FzbdvMVa1lz9V3afkIJ1Cr4qHuUn1UI91zbns1McJL9cf4DRv2WOlaaUzWrS +# SPFlC5qT9sK20BOgRDcyDpPKAJaFrbSERiByh8Nm1niGgJHhibBbMQUIRt1bltTf +# MC90KvZwvtFQ557Oydcz8sbCV0xUSd5VxFfysyYIOQRZ4yeI4nJX1Txbv8KUr+oz +# 4L59YLg+ZSmfP5pu1IT48QGeOscOAJaVlxQX5B9aCYEnXgRjuhxCEWG1rygSRsqz +# P2sviMRtc+irWxYSA4KK5E0ba8DNi7ANhJtEJ4EFdOoVw2cf+pAqMbNhv1Hqug9q +# k6xum1b7yi23hfIz67xCF/1EueNCc4x6zBKAMsEb0SbcSvMHGGA1lTw37JRsGbmS +# pz2DQFZ7X/cwUvdQMn947/8QqDbhQLzRmx7USHyYk4UxKl10tGyHZeanQ2rzBtxj +# 4jp9oC6/m7nd9NLHvtZVLDmShSS5DcFqtwBg1euNCPE2bqlgSiBTfj49qseCdvuh +# TzSY8WfIYPIqis6e3/deIoPKd8dlpXPWxPAnQa33TxHv2VWa/1951ITTHxi/08n4 +# +W6uvj8wWt7bd2Gb/saFi9qqF6odQ8p6hsgi/dIxW8pdeQkTOUNI6pYKrWt972WK +# wBC8hjyZ7IQJdHf2JBqkG8dWWKtCWQ== # SIG # End signature block diff --git a/README.md b/README.md index 2c0494d..080f97e 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ HardeningKitty can be used to audit systems against the following baselines / be | Microsoft Security baseline for Microsoft Edge | 95 | Final | | Microsoft Security baseline for Microsoft Edge | 96 | Final | | Microsoft Security baseline for Microsoft Edge | 97 | Final | -| Microsoft Security baseline for Microsoft Edge | 98, 99, 100, 101, 102, 103 | Final | +| Microsoft Security baseline for Microsoft Edge | 98, 99, 100, 101, 102, 103, 104 | Final | | Microsoft Security baseline for Windows 10 | 2004 | Final | | Microsoft Security baseline for Windows 10 | 20H2, 21H1 | Final | | Microsoft Security baseline for Windows 10 | 21H2 | Final | @@ -197,4 +197,3 @@ HardeningKitty can be used to audit systems against the following baselines / be | Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User) | v2206 | Final | | Microsoft Windows Server TLS Settings | 1809 | 1.0 | | Microsoft Windows Server TLS Settings (Future Use with TLSv1.3) | 1903 | 1.0 | - diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv index cf97364..a77171f 100644 --- a/lists/finding_list_0x6d69636b_machine.csv +++ b/lists/finding_list_0x6d69636b_machine.csv @@ -36,7 +36,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1319,"Security Options","Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,RestrictSendingNTLMTraffic,,,,0,1,=,Medium 1320,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium 1321,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium -1322,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,5,=,Medium +1322,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium 1323,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,1,=,Medium 1400,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium 1418,"Windows Firewall","EnableFirewall (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,EnableFirewall,,,,1,1,=,Medium @@ -110,6 +110,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1764,"Administrative Templates: Printer","Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,High 1765,"Administrative Templates: Printer","Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",UpdatePromptSettings,,,,0,0,=,High 1766,"Administrative Templates: Printer","Point and Print Restrictions: Only administrators can install printer drivers on a print server (CVE-2021-34527)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium +1771,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 1605,"Administrative Templates: System","Credentials Delegation: Allow delegation default credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowDefaultCredentials,,,,1,0,=,Medium 1606,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium 1607,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium @@ -177,8 +178,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1718,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKey,,,,0,0,=,Medium 1719,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,,,,0,0,=,Medium 1712,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium -1713,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHardwareEncryption,,,,0,1,=,Medium -1714,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSoftwareEncryptionFailover,,,,0,1,=,Medium +1713,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHardwareEncryption,,,,0,0,=,Medium 1763,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure minimum PIN length for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,MinimumPIN,,,,,8,>=,Medium 1720,"Administrative Templates: Windows Components","Cloud Content: Do not show Windows tips",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableSoftLanding,,,,0,1,=,Medium 1721,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium diff --git a/lists/finding_list_0x6d69636b_user.csv b/lists/finding_list_0x6d69636b_user.csv index 5ff3f5b..75ac4bc 100644 --- a/lists/finding_list_0x6d69636b_user.csv +++ b/lists/finding_list_0x6d69636b_user.csv @@ -1,5 +1,4 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity -4000,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion,NoCloudApplicationNotification,,,,0,1,=,Medium 4001,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium 4100,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium 4200,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium @@ -11,8 +10,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 4303,PowerShell,"PowerShell Language Mode",LanguageMode,,,,,,,FullLanguage,ConstrainedLanguage,=,Medium 4400,"Office 2016 / Office 365","Security Settings: Macro Runtime Scan Scope",Registry,,HKCU:\software\policies\microsoft\office\16.0\common\security,macroruntimescanscope,,,,0,2,=,Medium 4401,"Office 2016 / Office 365","Microsoft Excel: Always prevent untrusted Microsoft Query files from opening",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",enableblockunsecurequeryfiles,,,,0,1,=,Medium -4405,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,0,=,Medium -4406,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDECleaned,,,,0,1,=,Medium +4405,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlaunch,,,,0,1,=,Medium +4406,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium 4407,"Office 2016 / Office 365","Microsoft Excel: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium 4408,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Security,vbawarnings,,,,2,4,=,Medium 4409,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security,vbawarnings,,,,2,4,=,Medium @@ -22,8 +21,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 4416,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings",Registry,,HKCU:\Software\Microsoft\Office\16.0\Word\Security,vbawarnings,,,,2,4,=,Medium 4417,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbawarnings,,,,2,4,=,Medium 4402,"Office 2016 / Office 365","Microsoft Excel: Don't update links",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DontUpdateLinks,,,,0,1,=,Medium -4403,"Office 2016 / Office 365","Microsoft Excel: Allow DDE",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlaunch,,,,0,1,=,Medium -4404,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium +4403,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDEAllowed)",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,1,=,Medium +4404,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDECleaned)",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDECleaned,,,,0,1,=,Medium 4410,"Office 2016 / Office 365","Microsoft OneNote: Disable embedded files",Registry,,HKCU:\Software\Microsoft\Office\16.0\OneNote\Options,DisableEmbeddedFiles,,,,0,1,=,Medium 4413,"Office 2016 / Office 365","Microsoft Word: Don't update links",Registry,,HKCU:\Software\Microsoft\Office\16.0\Word\Options,DontUpdateLinks,,,,0,1,=,Medium 4414,"Office 2016 / Office 365","Microsoft Word (Mail): Don't update links",Registry,,HKCU:\Software\Microsoft\Office\16.0\Word\Options\WordMail,DontUpdateLinks,,,,0,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv index c1e58d8..d62f932 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv @@ -160,7 +160,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5.21.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium 5.21.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium 5.22.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium -5.22.1,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.22.2,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium 5.23.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium 5.23.2,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium 5.24.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium @@ -196,7 +196,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5.39.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium 5.39.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium 5.40.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium -5.40.1,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.40.2,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium 5.41.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=|0,Medium 5.41.2,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=|0,Medium 5.42.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium diff --git a/lists/finding_list_microsoft_windows_tls.csv b/lists/finding_list_microsoft_windows_tls.csv index ba051d2..990f8b0 100644 --- a/lists/finding_list_microsoft_windows_tls.csv +++ b/lists/finding_list_microsoft_windows_tls.csv @@ -23,9 +23,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1021,"Schannel: TLS Settings: Protocols","Server: TLSv1.1 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server",Disabledbydefault,,,,,1,=,Medium 1022,"Schannel: TLS Settings: Protocols","Client: TLSv1.1",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client",Enabled,,,,,0,=,Medium 1023,"Schannel: TLS Settings: Protocols","Client: TLSv1.1 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client",Disabledbydefault,,,,,1,=,Medium -1024,"Schannel: TLS Settings: Protocols","Server: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",Enabled,,,,,4294967295,=,Medium +1024,"Schannel: TLS Settings: Protocols","Server: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",Enabled,,,,,1,=,Medium 1025,"Schannel: TLS Settings: Protocols","Server: TLSv1.2 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",Disabledbydefault,,,,,0,=,Medium -1026,"Schannel: TLS Settings: Protocols","Client: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",Enabled,,,,,4294967295,=,Medium +1026,"Schannel: TLS Settings: Protocols","Client: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",Enabled,,,,,1,=,Medium 1027,"Schannel: TLS Settings: Protocols","Client: TLSv1.2 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",Disabledbydefault,,,,,0,=,Medium 1028,"Schannel: TLS Settings: Chipers",NULL,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL,Enabled,,,,,0,=,High 1029,"Schannel: TLS Settings: Chipers","DES 56/56",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56",Enabled,,,,,0,=,High @@ -37,8 +37,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1035,"Schannel: TLS Settings: Chipers","RC4 64/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128",Enabled,,,,,0,=,High 1036,"Schannel: TLS Settings: Chipers","RC4 128/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128",Enabled,,,,,0,=,High 1037,"Schannel: TLS Settings: Chipers","Triple DES 168",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168",Enabled,,,,,0,=,Medium -1038,"Schannel: TLS Settings: Chipers","AES 128/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128",Enabled,,,,,4294967295,=,Medium -1039,"Schannel: TLS Settings: Chipers","AES 256/256",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256",Enabled,,,,,4294967295,=,Medium +1038,"Schannel: TLS Settings: Chipers","AES 128/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128",Enabled,,,,,1,=,Medium +1039,"Schannel: TLS Settings: Chipers","AES 256/256",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256",Enabled,,,,,1,=,Medium 1040,"Administrative Templates: Network","SSL Configuration Settings: SSL Cipher Suite Order",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,,,,,"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",=,Medium 1065,"Administrative Templates: Network","SSL Configuration Settings: ECC Curve Order",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,EccCurves,,,,,"NistP384 NistP256",=,Medium 1041,"Schannel: TLS Settings: Hashes",MD5,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,,,,,0,=,Medium @@ -51,7 +51,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1048,"Schannel: TLS Settings: KeyExchangeAlgorithms","Diffie-Hellman (ClientMinKeyBitLength)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman,ClientMinKeyBitLength,,,,,2048,>=,Medium 1049,"Schannel: TLS Settings: KeyExchangeAlgorithms",ECDH,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH,Enabled,,,,,4294967295,=,Medium 1050,"Schannel: TLS Settings: KeyExchangeAlgorithms",PKCS,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS,Enabled,,,,,4294967295,=,Medium -1051,"Schannel: TLS Settings: KeyExchangeAlgorithms","PKCS (ServerMinKeyBitLength)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS,ClientMinKeyBitLength,,,,,2048,>=,Medium +1051,"Schannel: TLS Settings: KeyExchangeAlgorithms","PKCS (ClientMinKeyBitLength)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS,ClientMinKeyBitLength,,,,,2048,>=,Medium 1052,".NET Framework: TLS Settings","Use System Default TLS Versions (v2.0.50727, 32bit)",Registry,,HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727,SystemDefaultTlsVersions,,,,,1,=,Medium 1053,".NET Framework: TLS Settings","Use Strong Crypto (v2.0.50727, 32bit)",Registry,,HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727,SchUseStrongCrypto,,,,,1,=,Medium 1054,".NET Framework: TLS Settings","Use System Default TLS Versions (v2.0.50727)",Registry,,HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727,SystemDefaultTlsVersions,,,,,1,=,Medium diff --git a/lists/finding_list_microsoft_windows_tls_future.csv b/lists/finding_list_microsoft_windows_tls_future.csv index 20a1662..74d3f84 100644 --- a/lists/finding_list_microsoft_windows_tls_future.csv +++ b/lists/finding_list_microsoft_windows_tls_future.csv @@ -23,9 +23,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1021,"Schannel: TLS Settings: Protocols","Server: TLSv1.1 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server",Disabledbydefault,,,,,1,=,Medium 1022,"Schannel: TLS Settings: Protocols","Client: TLSv1.1",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client",Enabled,,,,,0,=,Medium 1023,"Schannel: TLS Settings: Protocols","Client: TLSv1.1 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client",Disabledbydefault,,,,,1,=,Medium -1024,"Schannel: TLS Settings: Protocols","Server: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",Enabled,,,,,4294967295,=,Medium +1024,"Schannel: TLS Settings: Protocols","Server: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",Enabled,,,,,1,=,Medium 1025,"Schannel: TLS Settings: Protocols","Server: TLSv1.2 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",Disabledbydefault,,,,,0,=,Medium -1026,"Schannel: TLS Settings: Protocols","Client: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",Enabled,,,,,4294967295,=,Medium +1026,"Schannel: TLS Settings: Protocols","Client: TLSv1.2",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",Enabled,,,,,1,=,Medium 1027,"Schannel: TLS Settings: Protocols","Client: TLSv1.2 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",Disabledbydefault,,,,,0,=,Medium 1060,"Schannel: TLS Settings: Protocols","Server: TLSv1.3 ",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server",Enabled,,,,,0,=,Medium 1061,"Schannel: TLS Settings: Protocols","Server: TLSv1.3 (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server",Disabledbydefault,,,,,1,=,Medium @@ -41,8 +41,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1035,"Schannel: TLS Settings: Chipers","RC4 64/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128",Enabled,,,,,0,=,High 1036,"Schannel: TLS Settings: Chipers","RC4 128/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128",Enabled,,,,,0,=,High 1037,"Schannel: TLS Settings: Chipers","Triple DES 168",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168",Enabled,,,,,0,=,Medium -1038,"Schannel: TLS Settings: Chipers","AES 128/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128",Enabled,,,,,4294967295,=,Medium -1039,"Schannel: TLS Settings: Chipers","AES 256/256",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256",Enabled,,,,,4294967295,=,Medium +1038,"Schannel: TLS Settings: Chipers","AES 128/128",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128",Enabled,,,,,1,=,Medium +1039,"Schannel: TLS Settings: Chipers","AES 256/256",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256",Enabled,,,,,1,=,Medium 1064,"Administrative Templates: Network","SSL Configuration Settings: SSL Cipher Suite Order",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,,,,,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",=,Medium 1065,"Administrative Templates: Network","SSL Configuration Settings: ECC Curve Order",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,EccCurves,,,,,"Curve25519 NistP384 NistP256",=,Medium 1041,"Schannel: TLS Settings: Hashes",MD5,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,,,,,0,=,Medium @@ -55,7 +55,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1048,"Schannel: TLS Settings: KeyExchangeAlgorithms","Diffie-Hellman (ClientMinKeyBitLength)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman,ClientMinKeyBitLength,,,,,2048,>=,Medium 1049,"Schannel: TLS Settings: KeyExchangeAlgorithms",ECDH,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH,Enabled,,,,,4294967295,=,Medium 1050,"Schannel: TLS Settings: KeyExchangeAlgorithms",PKCS,Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS,Enabled,,,,,4294967295,=,Medium -1051,"Schannel: TLS Settings: KeyExchangeAlgorithms","PKCS (ServerMinKeyBitLength)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS,ClientMinKeyBitLength,,,,,2048,>=,Medium +1051,"Schannel: TLS Settings: KeyExchangeAlgorithms","PKCS (ClientMinKeyBitLength)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS,ClientMinKeyBitLength,,,,,2048,>=,Medium 1052,".NET Framework: TLS Settings","Use System Default TLS Versions (v2.0.50727, 32bit)",Registry,,HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727,SystemDefaultTlsVersions,,,,,1,=,Medium 1053,".NET Framework: TLS Settings","Use Strong Crypto (v2.0.50727, 32bit)",Registry,,HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727,SchUseStrongCrypto,,,,,1,=,Medium 1054,".NET Framework: TLS Settings","Use System Default TLS Versions (v2.0.50727)",Registry,,HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727,SystemDefaultTlsVersions,,,,,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_edge_87_machine.csv b/lists/finding_list_msft_security_baseline_edge_87_machine.csv index cf64e47..6e97693 100644 --- a/lists/finding_list_msft_security_baseline_edge_87_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_87_machine.csv @@ -9,6 +9,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1007,"Microsoft Edge","Enable saving passwords to the password manager",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PasswordManagerEnabled,,,,1,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low 1012,"Microsoft Edge","Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,EnableSha1ForLocalAnchors,,,,0,0,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_88_machine.csv b/lists/finding_list_msft_security_baseline_edge_88_machine.csv index 46d589d..229156b 100644 --- a/lists/finding_list_msft_security_baseline_edge_88_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_88_machine.csv @@ -9,7 +9,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1007,"Microsoft Edge","Enable saving passwords to the password manager",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PasswordManagerEnabled,,,,1,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low 1012,"Microsoft Edge","Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,EnableSha1ForLocalAnchors,,,,0,0,=,Low 1012,"Microsoft Edge","Allow Basic authentication for HTTP",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,,,,,0,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_92_machine.csv b/lists/finding_list_msft_security_baseline_edge_92_machine.csv index f936943..a1877a9 100644 --- a/lists/finding_list_msft_security_baseline_edge_92_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_92_machine.csv @@ -13,5 +13,5 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_93_machine.csv b/lists/finding_list_msft_security_baseline_edge_93_machine.csv index 58a111e..a369dee 100644 --- a/lists/finding_list_msft_security_baseline_edge_93_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_93_machine.csv @@ -13,5 +13,5 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_95_machine.csv b/lists/finding_list_msft_security_baseline_edge_95_machine.csv index 8ba9d18..cc79a01 100644 --- a/lists/finding_list_msft_security_baseline_edge_95_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_95_machine.csv @@ -15,5 +15,5 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_96_machine.csv b/lists/finding_list_msft_security_baseline_edge_96_machine.csv index 6820db1..cc95064 100644 --- a/lists/finding_list_msft_security_baseline_edge_96_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_96_machine.csv @@ -16,6 +16,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low 1022,"Microsoft Edge","Configure Edge TyposquattingChecker",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TyposquattingCheckerEnabled,,,,,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_97_machine.csv b/lists/finding_list_msft_security_baseline_edge_97_machine.csv index 59555c3..4172dda 100644 --- a/lists/finding_list_msft_security_baseline_edge_97_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_97_machine.csv @@ -17,6 +17,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low 1022,"Microsoft Edge","Configure Edge TyposquattingChecker",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TyposquattingCheckerEnabled,,,,,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_edge_98_machine.csv b/lists/finding_list_msft_security_baseline_edge_98_machine.csv index 5d1abfc..78ad2c1 100644 --- a/lists/finding_list_msft_security_baseline_edge_98_machine.csv +++ b/lists/finding_list_msft_security_baseline_edge_98_machine.csv @@ -18,6 +18,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low 1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low 1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low -1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low 1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low 1022,"Microsoft Edge","Configure Edge TyposquattingChecker",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TyposquattingCheckerEnabled,,,,,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_machine.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_machine.csv index aa30636..4d3a819 100644 --- a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_machine.csv +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_machine.csv @@ -187,7 +187,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 6185,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Excel)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",excel.exe,,,,,69632,=,Medium 6186,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Publisher)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",mspub.exe,,,,,69632,=,Medium 6187,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (PowerPoint)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",powerpnt.exe,,,,,69632,=,Medium -6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onent.exe,,,,,69632,=,Medium +6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onenote.exe,,,,,69632,=,Medium 6189,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Visio)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",visio.exe,,,,,69632,=,Medium 6190,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Project)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winproj.exe,,,,,69632,=,Medium 6191,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Word)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winword.exe,,,,,69632,=,Medium diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_user.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_user.csv index 1da5d74..9a7a768 100644 --- a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_user.csv +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2104_user.csv @@ -24,7 +24,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5041,"Office 2016 / Office 365","Microsoft Excel: Do not open files in unsafe locations in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,disableunsafelocationsinpv,,,,,0,=,Medium 5014,"Office 2016 / Office 365","Microsoft Excel: Do not show AutoRepublish warning alert",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,disableautorepublishwarning,,,,,0,=,Medium 5010,"Office 2016 / Office 365","Microsoft Excel: Do not show data extraction options when opening corrupt workbooks",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,extractdatadisableui,,,,,1,=,Medium -5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,1,=,Medium +5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlaunch,,,,0,1,=,Medium 5024,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium 5026,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Dif and Sylk files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,difandsylkfiles,,,,,2,=,Medium 5027,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 2 macrosheets and add-in files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl2macros,,,,,2,=,Medium @@ -98,7 +98,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5151,"Office 2016 / Office 365","Microsoft Project: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",notbpromptunsignedaddin,,,,,1,=,Medium 5217,"Office 2016 / Office 365","Microsoft Project: Require that application add-ins are signed by Trusted Publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",requireaddinsig,,,,,1,=,Medium 5152,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy)",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbawarnings,,,,2,3,>=,Medium -5228,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbadigsigtrustedpublishers,,,,,1,=,Medium 5161,"Office 2016 / Office 365","Microsoft Publisher: Disable Trust Bar Notification for unsigned application add-ins",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,notbpromptunsignedaddin,,,,,1,=,Medium 5160,"Office 2016 / Office 365","Microsoft Publisher: Publisher Automation Security Level",Registry,,HKCU:\software\policies\microsoft\office\common\security,automationsecuritypublisher,,,,,2,=,Medium 5218,"Office 2016 / Office 365","Microsoft Publisher: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,requireaddinsig,,,,,1,=,Medium @@ -118,7 +117,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5192,"Office 2016 / Office 365","Microsoft Word: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,notbpromptunsignedaddin,,,,,1,=,Medium 5204,"Office 2016 / Office 365","Microsoft Word: Do not open files from the Internet zone in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\protectedview,disableinternetfilesinpv,,,,,0,=,Medium 5205,"Office 2016 / Office 365","Microsoft Word: Do not open files in unsafe locations in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\protectedview,disableunsafelocationsinpv,,,,,0,=,Medium -5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,,0,=,Medium +5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,0,0,=,Medium 5195,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Set default file block behavior",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,openinprotectedview,,,,,0,=,Medium 5196,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 2 and earlier binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word2files,,,,,2,=,Medium 5197,"Office 2016 / Office 365","Microsoft Word: File Block Settings: Word 2000 binary documents and templates",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock,word2000files,,,,,2,=,Medium diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_machine.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_machine.csv index 1822dcc..779d87b 100644 --- a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_machine.csv +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_machine.csv @@ -185,7 +185,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 6185,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Excel)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",excel.exe,,,,,69632,=,Medium 6186,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Publisher)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",mspub.exe,,,,,69632,=,Medium 6187,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (PowerPoint)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",powerpnt.exe,,,,,69632,=,Medium -6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onent.exe,,,,,69632,=,Medium +6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onenote.exe,,,,,69632,=,Medium 6189,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Visio)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",visio.exe,,,,,69632,=,Medium 6190,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Project)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winproj.exe,,,,,69632,=,Medium 6191,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Word)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winword.exe,,,,,69632,=,Medium diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_user.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_user.csv index 03892ed..78ab69c 100644 --- a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_user.csv +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2112_user.csv @@ -20,7 +20,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5231,"Office 2016 / Office 365","Microsoft Excel: Prevent Excel from running XLM macros",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,xl4macrooff,,,,,1,=,Medium 5224,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,vbadigsigtrustedpublishers,,,,,1,=,Medium 5022,"Office 2016 / Office 365","Microsoft Excel: Always prevent untrusted Microsoft Query files from opening",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",enableblockunsecurequeryfiles,,,,0,1,=,Medium -5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,1,=,Medium +5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlaunch,,,,0,1,=,Medium 5024,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium 5025,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: dBase III / IV files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,dbasefiles,,,,,2,=,Medium 5026,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Dif and Sylk files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,difandsylkfiles,,,,,2,=,Medium @@ -114,7 +114,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5151,"Office 2016 / Office 365","Microsoft Project: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",notbpromptunsignedaddin,,,,,1,=,Medium 5217,"Office 2016 / Office 365","Microsoft Project: Require that application add-ins are signed by Trusted Publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",requireaddinsig,,,,,1,=,Medium 5152,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy)",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbawarnings,,,,2,3,>=,Medium -5228,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbadigsigtrustedpublishers,,,,,1,=,Medium 5160,"Office 2016 / Office 365","Microsoft Publisher: Publisher Automation Security Level",Registry,,HKCU:\software\policies\microsoft\office\common\security,automationsecuritypublisher,,,,,2,=,Medium 5161,"Office 2016 / Office 365","Microsoft Publisher: Disable Trust Bar Notification for unsigned application add-ins",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,notbpromptunsignedaddin,,,,,1,=,Medium 5218,"Office 2016 / Office 365","Microsoft Publisher: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,requireaddinsig,,,,,1,=,Medium @@ -132,7 +131,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5190,"Office 2016 / Office 365","Microsoft Word: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\filevalidation,enableonload,,,,,1,=,Medium 5191,"Office 2016 / Office 365","Microsoft Word: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium 5192,"Office 2016 / Office 365","Microsoft Word: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,notbpromptunsignedaddin,,,,,1,=,Medium -5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,,0,=,Medium +5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,0,0,=,Medium 5221,"Office 2016 / Office 365","Microsoft Word: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,requireaddinsig,,,,,1,=,Medium 5193,"Office 2016 / Office 365","Microsoft Word: Scan encrypted macros in Word Open XML documents",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,wordbypassencryptedmacroscan,,,,,0,=,Medium 5194,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbawarnings,,,,2,3,>=,Medium diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv index 1822dcc..779d87b 100644 --- a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_machine.csv @@ -185,7 +185,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 6185,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Excel)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",excel.exe,,,,,69632,=,Medium 6186,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Publisher)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",mspub.exe,,,,,69632,=,Medium 6187,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (PowerPoint)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",powerpnt.exe,,,,,69632,=,Medium -6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onent.exe,,,,,69632,=,Medium +6188,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (OneNote)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",onenote.exe,,,,,69632,=,Medium 6189,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Visio)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",visio.exe,,,,,69632,=,Medium 6190,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Project)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winproj.exe,,,,,69632,=,Medium 6191,"Office 2016 / Office 365","Restrict legacy JScript execution for Office (Word)",Registry,,"HKLM:\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE",winword.exe,,,,,69632,=,Medium diff --git a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv index c86f1f9..34154e8 100644 --- a/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv +++ b/lists/finding_list_msft_security_baseline_microsoft_365_apps_v2206_user.csv @@ -20,7 +20,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5231,"Office 2016 / Office 365","Microsoft Excel: Prevent Excel from running XLM macros",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,xl4macrooff,,,,,1,=,Medium 5224,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,vbadigsigtrustedpublishers,,,,,1,=,Medium 5022,"Office 2016 / Office 365","Microsoft Excel: Always prevent untrusted Microsoft Query files from opening",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",enableblockunsecurequeryfiles,,,,0,1,=,Medium -5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,1,=,Medium +5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlaunch,,,,0,1,=,Medium 5024,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium 5025,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: dBase III / IV files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,dbasefiles,,,,,2,=,Medium 5026,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Dif and Sylk files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,difandsylkfiles,,,,,2,=,Medium @@ -113,7 +113,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5151,"Office 2016 / Office 365","Microsoft Project: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",notbpromptunsignedaddin,,,,,1,=,Medium 5217,"Office 2016 / Office 365","Microsoft Project: Require that application add-ins are signed by Trusted Publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",requireaddinsig,,,,,1,=,Medium 5152,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy)",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbawarnings,,,,2,3,>=,Medium -5228,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbadigsigtrustedpublishers,,,,,1,=,Medium 5160,"Office 2016 / Office 365","Microsoft Publisher: Publisher Automation Security Level",Registry,,HKCU:\software\policies\microsoft\office\common\security,automationsecuritypublisher,,,,,2,=,Medium 5161,"Office 2016 / Office 365","Microsoft Publisher: Disable Trust Bar Notification for unsigned application add-ins",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,notbpromptunsignedaddin,,,,,1,=,Medium 5218,"Office 2016 / Office 365","Microsoft Publisher: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,requireaddinsig,,,,,1,=,Medium @@ -131,7 +130,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5190,"Office 2016 / Office 365","Microsoft Word: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\filevalidation,enableonload,,,,,1,=,Medium 5191,"Office 2016 / Office 365","Microsoft Word: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium 5192,"Office 2016 / Office 365","Microsoft Word: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,notbpromptunsignedaddin,,,,,1,=,Medium -5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,,0,=,Medium +5220,"Office 2016 / Office 365","Microsoft Word: Dynamic Data Exchange",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,allowdde,,,,0,0,=,Medium 5221,"Office 2016 / Office 365","Microsoft Word: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,requireaddinsig,,,,,1,=,Medium 5193,"Office 2016 / Office 365","Microsoft Word: Scan encrypted macros in Word Open XML documents",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,wordbypassencryptedmacroscan,,,,,0,=,Medium 5194,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbawarnings,,,,2,3,>=,Medium diff --git a/lists/finding_list_msft_security_baseline_office_365_v1908_user.csv b/lists/finding_list_msft_security_baseline_office_365_v1908_user.csv index 7934e61..038e0e9 100644 --- a/lists/finding_list_msft_security_baseline_office_365_v1908_user.csv +++ b/lists/finding_list_msft_security_baseline_office_365_v1908_user.csv @@ -23,7 +23,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 5041,"Office 2016 / Office 365","Microsoft Excel: Do not open files in unsafe locations in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,disableunsafelocationsinpv,,,,,0,=,Medium 5014,"Office 2016 / Office 365","Microsoft Excel: Do not show AutoRepublish warning alert",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,disableautorepublishwarning,,,,,0,=,Medium 5010,"Office 2016 / Office 365","Microsoft Excel: Do not show data extraction options when opening corrupt workbooks",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\options,extractdatadisableui,,,,,1,=,Medium -5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,HKCU:\Software\Microsoft\Office\16.0\Excel\Options,DDEAllowed,,,,1,1,=,Medium +5023,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server launch in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlaunch,,,,0,1,=,Medium 5024,"Office 2016 / Office 365","Microsoft Excel: Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",disableddeserverlookup,,,,0,1,=,Medium 5026,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Dif and Sylk files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,difandsylkfiles,,,,,2,=,Medium 5027,"Office 2016 / Office 365","Microsoft Excel: File Block Settings: Excel 2 macrosheets and add-in files",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\fileblock,xl2macros,,,,,2,=,Medium