Update to HardeningKitty v.0.7.0

README.md

@@ -13,46 +13,49 @@ Run the script with administrative privileges to access machine settings. For th
 Download _HardeningKitty_ and copy it to the target system (script and lists). After that HardeningKitty can be imported and executed:
 
 ```powershell
-PS C:\> Import-Module Invoke-HardeningKitty.ps1
-PS C:\> Invoke-HardeningKitty -EmojiSupport
+PS C:\tmp> Import-Module .\Invoke-HardeningKitty.ps1
+PS C:\tmp> Invoke-HardeningKitty -EmojiSupport
 
 
          =^._.^=
-        _(      )/  HardeningKitty
+        _(      )/  HardeningKitty 0.6.1-1628003775
 
 
-[*] 5/28/2020 4:39:16 PM - Starting HardeningKitty
+[*] 8/7/2021 7:27:04 AM - Starting HardeningKitty
 
 
-[*] 5/28/2020 4:39:16 PM - Getting machine information
-[*] Hostname: w10
+[*] 8/7/2021 7:27:04 AM - Getting machine information
+[*] Hostname: DESKTOP-DG83TOD
 [*] Domain: WORKGROUP
 
 ...
 
-[*] 5/28/2020 4:39:21 PM - Starting Category Account Policies
-[😺] ID 1100, Account lockout duration, Result=30, Severity=Passed
-[😺] ID 1101, Account lockout threshold, Result=5, Severity=Passed
-[😺] ID 1102, Reset account lockout counter, Result=30, Severity=Passed
+[*] 8/7/2021 7:27:09 AM - Starting Category Account Policies
+[😺] ID 1103, Store passwords using reversible encryption, Result=0, Severity=Passed
+[😺] ID 1100, Account lockout threshold, Result=10, Severity=Passed
+[😺] ID 1101, Account lockout duration, Result=30, Severity=Passed
 
 ...
 
-[*] 5/28/2020 4:39:23 PM - Starting Category Advanced Audit Policy Configuration
-[😼] ID 1513, Kernel Object, Result=, Recommended=Success and Failure, Severity=Low
+[*] 8/7/2021 7:27:09 AM - Starting Category User Rights Assignment
+[😿] ID 1200, Access this computer from the network, Result=BUILTIN\Administrators;BUILTIN\Users, Recommended=BUILTIN\Administrators, Severity=Medium
 
 ...
 
-[*] 5/28/2020 4:39:24 PM - Starting Category System
-[😿] ID 1614, Device Guard: Virtualization Based Security Status, Result=Not available, Recommended=2, Severity=Medium
+[*] 8/7/2021 7:27:12 AM - Starting Category Administrative Templates: Printer
+[🙀] ID 1764, Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527), Result=1, Recommended=0, Severity=High
+[🙀] ID 1765, Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527), Result=2, Recommended=0, Severity=High
 
 ...
 
-[*] 5/28/2020 4:39:25 PM - Starting Category Windows Components
-[🙀] ID 1708, BitLocker Drive Encryption: Volume status, Result=FullyDecrypted, Recommended=FullyEncrypted, Severity=High
+[*] 8/7/2021 7:27:19 AM - Starting Category MS Security Guide
+[😿] ID 2200, LSA Protection, Result=, Recommended=1, Severity=Medium
+[😼] ID 2201, Lsass.exe audit mode, Result=, Recommended=8, Severity=Low
 
 ...
 
-[*] 5/28/2020 4:39:34 PM - HardeningKitty is done
+[*] 8/7/2021 7:27:48 AM - HardeningKitty is done
+[*] 8/7/2021 7:27:48 AM - Your HardeningKitty score is: 4.82. HardeningKitty Statistics: Total checks: 325 - Passed: 213, Low: 33, Medium: 76, High: 3.
 ```
 
 ## Examples
@@ -114,7 +117,7 @@ The formula for the HardeningKitty Score is _(Points achieved / Maximum points)
 
 ## HardeningKitty Interface
 
-[ataumo](https://github.com/ataumo) build a web based interface for HardeningKitty. The tool can be used to create your own lists and provides additional information on the hardening settings. The [source code](https://github.com/ataumo/windows_hardening_interface) is under AGPL license and there is a [demo site](https://ataumo-photo.fr/policies_hardening_interface/interface/windows/).
+[ataumo](https://github.com/ataumo) build a web based interface for HardeningKitty. The tool can be used to create your own lists and provides additional information on the hardening settings. The [source code](https://github.com/ataumo/policies_hardening_interface) is under AGPL license and there is a [demo site](https://phi.cryptonit.fr/policies_hardening_interface/).
 
 ## Last Update
 
@@ -159,15 +162,24 @@ HardeningKitty can be used to audit systems against the following baselines / be
 | Microsoft Security baseline for Microsoft Edge | 87 | Final |
 | Microsoft Security baseline for Microsoft Edge | 88, 89, 90, 91 | Final |
 | Microsoft Security baseline for Microsoft Edge | 92 | Final |
+| Microsoft Security baseline for Microsoft Edge | 93, 94 | Final |
+| Microsoft Security baseline for Microsoft Edge | 95 | Final |
+| Microsoft Security baseline for Microsoft Edge | 96 | Final |
 | Microsoft Security baseline for Windows 10 | 2004 | Final |
 | Microsoft Security baseline for Windows 10 | 20H2, 21H1 | Final |
+| Microsoft Security baseline for Windows 10 | 21H2 | Final |
+| Microsoft Security baseline for Windows 11 | 21H2 | Final |
 | Microsoft Security baseline for Windows Server (DC) | 2004 | Final |
 | Microsoft Security baseline for Windows Server (Member) | 2004 | Final |
 | Microsoft Security baseline for Windows Server (DC) | 20H2 | Final |
 | Microsoft Security baseline for Windows Server (Member) | 20H2 | Final |
+| Microsoft Security baseline for Windows Server 2022 (DC) | 21H2 | Final |
+| Microsoft Security baseline for Windows Server 2022 (Member) | 21H2 | Final |
 | Microsoft Security baseline for Office 365 ProPlus (Machine) | Sept 2019 | Final |
 | Microsoft Security baseline for Office 365 ProPlus (User) | Sept 2019 | Final |
 | Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine) | v2104, v2106 | Final |
 | Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User) | v2104, v2106 | Final |
+| Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine) | v2112 | Final |
+| Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User) | v2112 | Final |
 | Microsoft Windows Server TLS Settings | 1809 | 1.0 |
 | Microsoft Windows Server TLS Settings (Future Use with TLSv1.3) | 1903 | 1.0 |

lists/finding_list_0x6d69636b_machine.csv

@@ -105,6 +105,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 1602,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium
 1603,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium
 1604,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium
+1768,"Administrative Templates: Printer","Only use Package Point and Print (CVE-2021-36958)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint",PackagePointAndPrintOnly,,,,,1,=,Medium
+1769,"Administrative Templates: Printer","Package Point and Print - Approved servers (CVE-2021-36958)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint",PackagePointAndPrintServerList,,,,,1,=,Medium
 1764,"Administrative Templates: Printer","Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,High
 1765,"Administrative Templates: Printer","Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",UpdatePromptSettings,,,,0,0,=,High
 1766,"Administrative Templates: Printer","Point and Print Restrictions: Only administrators can install printer drivers on a print server (CVE-2021-34527)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium
@@ -208,8 +210,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 1918,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium
 1904,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium
 1919,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium
-1905,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium
-1920,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium
+1905,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium
+1920,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium
 1906,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium
 1921,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium
 1907,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium
@@ -238,6 +240,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 1980,"Microsoft Defender Application Guard","Support for Microsoft Defender Application Guard",WindowsOptionalFeature,Windows-Defender-ApplicationGuard,,,,,,Disabled,Enabled,=,Medium
 1981,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,3,=,Medium
 1982,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium
+1767,"Administrative Templates: Windows Components","News and interests: Enable news and interests on the taskbar",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds",EnableFeeds,,,,,0,=,Medium
 1733,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium
 1734,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium
 1735,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium
@@ -258,6 +261,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 1750,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium
 1751,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium
 1752,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium
+1770,"Administrative Templates: Windows Components","Windows Installer: Disable Co-Installer (USB AutoInstall)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer",DisableCoInstallers,,,,,1,=,Medium
 1753,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium
 1754,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium
 1755,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium

lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv

@@ -257,7 +257,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 162,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium
 163,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium
 164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium
-165,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium
+165,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium
 167,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium
 168,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium
 169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium
@@ -281,8 +281,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names
 172,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium
 172,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium
 172,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium
-172,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium
-172,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium
+172,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium
+172,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium
 172,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium
 172,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium
 173,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium