Easter Update

[+] Add Microsoft Defender Application Guard to 0x6d69636b list [+] Add items from MSFT Security Baseline to 0x6d69636b list [*] Extend function WindowsOptionalFeature in HailMary mode [*] Microsoft renamed its Office 365 baseline [*] Update DefaultValues to Windows 10 20H2
scipag · Apr 6, 2021 · 83ad2fc · 83ad2fc
1 parent fbe4e67
commit 83ad2fc
Show file tree

Hide file tree

Showing 16 changed files with 515 additions and 716 deletions.
diff --git a/Invoke-HardeningKitty.ps1 b/Invoke-HardeningKitty.ps1
diff --git a/README.md b/README.md
@@ -96,5 +96,5 @@ HardeningKitty can be used to audit systems against the following baselines / be
 | Microsoft Security baseline for Windows Server 10 version 2009 (Member) | 2009 | Final |
 | Microsoft Security baseline for Office 365 ProPlus v1908 (Machine) | Sept 2019 | Final |
 | Microsoft Security baseline for Office 365 ProPlus v1908 (User) | Sept 2019 | Final |
-| Microsoft Security baseline for Office 365 ProPlus v2103 (Machine) | March 2021 | Draft |
-| Microsoft Security baseline for Office 365 ProPlus v2103 (User) | March 2021 | Draft |
+| Microsoft Security Baseline for Microsoft 365 Apps for enterprise v2103 (Machine) | March 2021 | Draft |
+| Microsoft Security Baseline for Microsoft 365 Apps for enterprise v2103 (User) | March 2021 | Draft |
diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv
diff --git a/lists/finding_list_0x6d69636b_user.csv b/lists/finding_list_0x6d69636b_user.csv
@@ -1,10 +1,11 @@
 ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity
+1324,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium
 4000,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion,NoCloudApplicationNotification,,,,0,1,=,Medium
 4001,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium
 4100,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium
 4200,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium
 4201,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium
-4201,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium
+4202,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium
 4300,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKCU:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium
 4301,PowerShell,"Turn on PowerShell Script Block Logging (Invocation)",Registry,,HKCU:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockInvocationLogging,,,,0,1,=,Low
 4302,PowerShell,"Turn on PowerShell Transcription",Registry,,HKCU:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,1,=,Low
@@ -38,4 +39,4 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 4502,"Windows Settings","System: Shared experiences: Shared across devices 1",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\CDP,RomeSdkChannelUserAuthzPolicy,,,,1,0,=,Low
 4503,"Windows Settings","System: Shared experiences: Shared across devices 2",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\CDP,CdpSessionUserAuthzPolicy,,,,1,0,=,Low
 4504,"Windows Settings","Devices: Typing: Autocorrect misspelled words",Registry,,HKCU:\Software\Microsoft\TabletTip\1.7,EnableAutocorrection,,,,1,0,=,Low
-4505,"Windows Settings","Devices: AutoPlay: Use AutoPlay for all media and devices",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers,DisableAutoplay,,,,1,0,=,Low
+4505,"Windows Settings","Devices: AutoPlay: Use AutoPlay for all media and devices",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers,DisableAutoplay,,,,0,0,=,Low
diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_machine.csv
diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_machine.csv
diff --git a/...ity_baseline_office_365_v2103_machine.csv → ...line_microsoft_365_apps_v2103_machine.csv b/...ity_baseline_office_365_v2103_machine.csv → ...line_microsoft_365_apps_v2103_machine.csv
diff --git a/...curity_baseline_office_365_v2103_user.csv → ...aseline_microsoft_365_apps_v2103_user.csv b/...curity_baseline_office_365_v2103_user.csv → ...aseline_microsoft_365_apps_v2103_user.csv
@@ -12,7 +12,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 5000,"Office 2016 / Office 365","Microsoft Access: Block macros from running in Office files from the Internet",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,blockcontentexecutionfrominternet,,,,,1,=,Medium
 5001,"Office 2016 / Office 365","Microsoft Access: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,notbpromptunsignedaddin,,,,,1,=,Medium
 5002,"Office 2016 / Office 365","Microsoft Access: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,vbawarnings,,,,2,3,>=,Medium
-5227,"Office 2016 / Office 365","Microsoft Access: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,HKCU:\software\policies\microsoft\office\16.0\access\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
+5227,"Office 2016 / Office 365","Microsoft Access: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\access\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
 5045,"Office 2016 / Office 365","Microsoft Excel: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\trusted locations",allownetworklocations,,,,,0,=,Medium
 5039,"Office 2016 / Office 365","Microsoft Excel: Always open untrusted database files in Protected View",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,enabledatabasefileprotectedview,,,,,1,=,Medium
 5022,"Office 2016 / Office 365","Microsoft Excel: Always prevent untrusted Microsoft Query files from opening",Registry,,"HKCU:\software\policies\microsoft\office\16.0\excel\security\external content",enableblockunsecurequeryfiles,,,,0,1,=,Medium
@@ -50,7 +50,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 5044,"Office 2016 / Office 365","Microsoft Excel: Turn off Protected View for attachments opened from Outlook",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\protectedview,disableattachmentsinpv,,,,,0,=,Medium
 5017,"Office 2016 / Office 365","Microsoft Excel: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security\filevalidation,enableonload,,,,,1,=,Medium
 5021,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security,vbawarnings,,,,2,3,>=,Medium
-5224,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,HKCU:\software\policies\microsoft\office\16.0\excel\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
+5224,"Office 2016 / Office 365","Microsoft Excel: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
 5018,"Office 2016 / Office 365","Microsoft Excel: WEBSERVICE Function Notification Settings",Registry,,HKCU:\software\policies\microsoft\office\16.0\excel\security,webservicefunctionwarnings,,,,,1,=,Medium
 5096,"Office 2016 / Office 365","Microsoft Outlook: Allow Active X One Off Forms",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\security,allowactivexoneoffforms,,,,,0,=,Medium
 5116,"Office 2016 / Office 365","Microsoft Outlook: Allow hyperlinks in suspected phishing e-mail messages",Registry,,HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail,junkmailenablelinks,,,,,0,=,Medium
@@ -94,17 +94,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 5142,"Office 2016 / Office 365","Microsoft PowerPoint: Turn off Protected View for attachments opened from Outlook",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview,disableattachmentsinpv,,,,,0,=,Medium
 5132,"Office 2016 / Office 365","Microsoft PowerPoint: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation,enableonload,,,,,1,=,Medium
 5135,"Office 2016 / Office 365","Microsoft PowerPoint: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security,vbawarnings,,,,2,3,>=,Medium
-5225,"Office 2016 / Office 365","Microsoft PowerPoint: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security,vbadigsigtrustedpublishers,,,,,1,=,Medium
+5225,"Office 2016 / Office 365","Microsoft PowerPoint: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security,vbadigsigtrustedpublishers,,,,,1,=,Medium
 5150,"Office 2016 / Office 365","Microsoft Project: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security\trusted locations",allownetworklocations,,,,,0,=,Medium
 5151,"Office 2016 / Office 365","Microsoft Project: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",notbpromptunsignedaddin,,,,,1,=,Medium
 5217,"Office 2016 / Office 365","Microsoft Project: Require that application add-ins are signed by Trusted Publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",requireaddinsig,,,,,1,=,Medium
 5152,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy)",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbawarnings,,,,2,3,>=,Medium
-5228,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbadigsigtrustedpublishers,,,,,1,=,Medium
+5228,"Office 2016 / Office 365","Microsoft Project: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,"HKCU:\software\policies\microsoft\office\16.0\ms project\security",vbadigsigtrustedpublishers,,,,,1,=,Medium
 5161,"Office 2016 / Office 365","Microsoft Publisher: Disable Trust Bar Notification for unsigned application add-ins",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,notbpromptunsignedaddin,,,,,1,=,Medium
 5160,"Office 2016 / Office 365","Microsoft Publisher: Publisher Automation Security Level",Registry,,HKCU:\software\policies\microsoft\office\common\security,automationsecuritypublisher,,,,,2,=,Medium
 5218,"Office 2016 / Office 365","Microsoft Publisher: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,requireaddinsig,,,,,1,=,Medium
 5162,"Office 2016 / Office 365","Microsoft Publisher: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,vbawarnings,,,,2,3,>=,Medium
-5229,"Office 2016 / Office 365","Microsoft Publisher: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
+5229,"Office 2016 / Office 365","Microsoft Publisher: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\publisher\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
 5170,"Office 2016 / Office 365","Microsoft Visio: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\visio\security\trusted locations",allownetworklocations,,,,,0,=,Medium
 5171,"Office 2016 / Office 365","Microsoft Visio: Block macros from running in Office files from the Internet",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,blockcontentexecutionfrominternet,,,,,1,=,Medium
 5172,"Office 2016 / Office 365","Microsoft Visio: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,notbpromptunsignedaddin,,,,,1,=,Medium
@@ -113,7 +113,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 5176,"Office 2016 / Office 365","Microsoft Visio: File Block Settings: Visio 5.0 or earlier Binary Drawings, Templates and Stencils",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security\fileblock,visio50andearlierfiles,,,,,2,=,Medium
 5219,"Office 2016 / Office 365","Microsoft Visio: Require that application add-ins are signed by Trusted Publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,requireaddinsig,,,,,1,=,Medium
 5173,"Office 2016 / Office 365","Microsoft Visio: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,vbawarnings,,,,2,3,>=,Medium
-5230,"Office 2016 / Office 365","Microsoft Visio: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,HKCU:\software\policies\microsoft\office\16.0\visio\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
+5230,"Office 2016 / Office 365","Microsoft Visio: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\software\policies\microsoft\office\16.0\visio\security,vbadigsigtrustedpublishers,,,,,1,=,Medium
 5209,"Office 2016 / Office 365","Microsoft Word: Allow Trusted Locations on the network",Registry,,"HKCU:\software\policies\microsoft\office\16.0\word\security\trusted locations",allownetworklocations,,,,,0,=,Medium
 5191,"Office 2016 / Office 365","Microsoft Word: Block macros from running in Office files from the Internet",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,blockcontentexecutionfrominternet,,,,0,1,=,Medium
 5192,"Office 2016 / Office 365","Microsoft Word: Disable Trust Bar Notification for unsigned application add-ins and block them",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security,notbpromptunsignedaddin,,,,,1,=,Medium
@@ -136,7 +136,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 5208,"Office 2016 / Office 365","Microsoft Word: Turn off Protected View for attachments opened from Outlook",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\protectedview,disableattachmentsinpv,,,,,0,=,Medium
 5190,"Office 2016 / Office 365","Microsoft Word: Turn off file validation",Registry,,HKCU:\software\policies\microsoft\office\16.0\word\security\filevalidation,enableonload,,,,,1,=,Medium
 5194,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy)",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbawarnings,,,,2,3,>=,Medium
-5226,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbadigsigtrustedpublishers,,,,,1,=,Medium
+5226,"Office 2016 / Office 365","Microsoft Word: VBA Macro Notification Settings (Policy) - Require macros to be signed by a trusted publisher",Registry,,HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security,vbadigsigtrustedpublishers,,,,,1,=,Medium
 5070,"Office 2016 / Office 365","Security Settings: ActiveX Control Initialization",Registry,,HKCU:\software\policies\microsoft\office\common\security,uficontrols,,,,,6,=,Medium
 5210,"Office 2016 / Office 365","Security Settings: Allow VBA to load typelib references by path from untrusted intranet locations",Registry,,HKCU:\software\policies\microsoft\vba\security,allowvbaintranetreferences,,,,,0,=,Medium
 5078,"Office 2016 / Office 365","Security Settings: Allow mix of policy and user locations",Registry,,"HKCU:\software\policies\microsoft\office\16.0\common\security\trusted locations","allow user locations",,,,,0,=,Medium