diff --git a/WAPT/control b/WAPT/control index 12b46c5..f3e5d13 100644 --- a/WAPT/control +++ b/WAPT/control @@ -1,5 +1,5 @@ package : comi-hardening -version : 1.0-11 +version : 1.0-12 architecture : all section : base priority : optional @@ -29,7 +29,7 @@ editor : keywords : licence : homepage : -package_uuid : b41cdf0c-d71e-4c8c-bf33-b3ad8c0bb4f7 +package_uuid : c76a8dc6-707d-4494-91d9-6ba4ffcac68f valid_from : valid_until : forced_install_on : @@ -39,6 +39,6 @@ max_os_version : icon_sha256sum : 0c223120ac1a6e4cd0d0abe04cd831c7d4a4c2661947e758c0f703b656933d9a signer : ggendron_pem signer_fingerprint: 244cdf15fa2ea3ead58e4abf232fdf9a30a8a28a798677f71d6a3e76e65f9003 -signature_date : 2024-03-18T15:46:57.000000 +signature_date : 2024-03-18T16:05:36.000000 signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes -signature : n+qVKKPjtkCml6DF7vMxcGt8H/7jC67oN/spTY5g5UfmxjUARoeUWRbNIXjXrVFoImOgY9tEZr7LwBaajQz8fCd09PjKxi9xh06zR+Mjcakd1tWsz0uE9pdMFt3IMuJ/Mlio6sB7wseTXk0HKX6LuTYMjbdL3kA3qucwO8VFGGJ/889XXbNseifOySJvDh5IbINGBa80QAylDU82TZcl5cN6LGfuXL39F+UJ2iHoSc14libZooDZdVtQuSZsFKkaYAMvudXmibj6W5Lq8hEOdchasCTrs4Q40GO8jBIyIinGz17oOdtnEXIHUNvMvDahl85MADNfIUjyZXm9p58pKA== \ No newline at end of file +signature : F0CyAS+q0gXiJzw7y2UWWd9B/SFC6YOp3rs0v6QpNdZvFDgEmE0WVkJBdeZUPUbntaLtmGrhUhSQ6Tg7TMnvUh5SzAtOsF574C/hJNp1l4t4ef9THXbH5InpF/974fx6pBVwGWIyMjl4N5bAqu6olIji9NpochO1ObsAStqbYexV21IbOcfpaOg6r5puMp0CdYo+xoKZGVwGfLmdkuSAUxPGCcprXPiRvdP1w7wLaU5JG/R/DmxjlPeqllD8gRipms+QivrglZbZZSIKX7T97CqH1vOOqa5h9fICgzDhoZDIsncNyYzIp+HbONFnSSfFxt3jM1I+WFDjc8pTAL6Kxw== \ No newline at end of file diff --git a/WAPT/manifest.sha256 b/WAPT/manifest.sha256 index 3a8aae6..ae74c78 100644 --- a/WAPT/manifest.sha256 +++ b/WAPT/manifest.sha256 @@ -1 +1 @@ -[[".env","720b2be3b2d977425b68892f478262e7d3f764ca56c86e4d6aa2f639ea3dd214"],[".vscode/launch.json","7185f7797616d2fefe06cdb959ccb08bf0f677287a21aacc3111a65d4f072584"],[".vscode/settings.json","c4ef3e7d26642471ae3a2faaa131a40791fda1542ede085de266c5144adb2a3c"],["README.CSV","22dd78a4853cb10c91896d896adb761a757f190e6dce0462ff3ed43cedb56237"],["WAPT/certificate.crt","68194bca04eef7aaf4dc3c3bd12b017a1263bb5fcc034919fc7edda0c62db266"],["WAPT/control","d4763870c226fae1453d6c4396d5c6d2bcdc7def92be8e12f86bb466d642182c"],["WAPT/icon.png","0c223120ac1a6e4cd0d0abe04cd831c7d4a4c2661947e758c0f703b656933d9a"],["WAPT/wapt.psproj","c6246be77fa0d87cb8860fc9de433dfc02b56edaaca368712d5b6267141eeee4"],["setup.py","f8460e7107a81051f7969e943cb6bd0c47231029cae7ad12c84ae2b6d02297dd"]] \ No newline at end of file +[[".env","720b2be3b2d977425b68892f478262e7d3f764ca56c86e4d6aa2f639ea3dd214"],[".vscode/launch.json","7185f7797616d2fefe06cdb959ccb08bf0f677287a21aacc3111a65d4f072584"],[".vscode/settings.json","c4ef3e7d26642471ae3a2faaa131a40791fda1542ede085de266c5144adb2a3c"],["README.CSV","22dd78a4853cb10c91896d896adb761a757f190e6dce0462ff3ed43cedb56237"],["WAPT/certificate.crt","68194bca04eef7aaf4dc3c3bd12b017a1263bb5fcc034919fc7edda0c62db266"],["WAPT/control","060229338bfce22bd9832245887e3f221604e6ce8fc25e8546bbd053cf04d54b"],["WAPT/icon.png","0c223120ac1a6e4cd0d0abe04cd831c7d4a4c2661947e758c0f703b656933d9a"],["WAPT/wapt.psproj","c6246be77fa0d87cb8860fc9de433dfc02b56edaaca368712d5b6267141eeee4"],["setup.py","0c9523892052c723da08729af8f37306ca3521dd936fc58a93f80450980dab93"]] \ No newline at end of file diff --git a/WAPT/signature.sha256 b/WAPT/signature.sha256 index f3821d8..b6b80b1 100644 --- a/WAPT/signature.sha256 +++ b/WAPT/signature.sha256 @@ -1 +1 @@ -DZZ+qn4vd+SwZNaUjZjf1si2iOuBV4o88pwwaK7LDheUSRRSRM3RuIcIdXFgDBUuW0gAtzHuy/K1EK42dZV0vcramGMnuiXXMd2VuMIzKwYlUOW0c5KiXm576Isp2zzLc3tNnoizGuRkZugSsefkBHPCZioVd+ZNB/TS0OhIMFat4lY+YNshrcKOeO4sYSlRezVVbgu58tFUz+NP0nw0EHfl4tO8MnrxhNTR2Az9gHfdDol0v8Yo4DOoI28CfJXv8FNK0PYrkmZ874N+NtItGVEIfx2grPrCl90HNZYyVMc/m/jFPbqD3p12GNZyQvnFroVMwWYF9Kt6cRZ4QLjsDA== \ No newline at end of file +imQsCgUg0LJ07qPOqMRApVBBm7o3vXijZjSH8X1abZY2AVQHzF+yPkygHte3WZR8GkM+KCcsGyevRqMSQ0bScCmBtbyY4gCJrDJNf0/uhYOS11F9jXtb7NniO7Xs8/ribKF1rAZ9ZZkUlSVGrhndWBznXCzmdug4rTWYhhmkTYVq/bxXSc8s39JqLzWe7iP309JHz2iCa4lhGX2gNTxdu8RX0Fw/1058VK1Feub+uHaiPh/zoF+RUdhUocTVmDUuwMySHx2+mhf6aE4+sDIdZEzOJ/TZU6bmp2GW4NeP6p3rRCvSzrBRcfQvohic1iDV1nbC6AHXdR8SaU4UYtLFdg== \ No newline at end of file diff --git a/setup.py b/setup.py index 58bf58e..dda5b07 100644 --- a/setup.py +++ b/setup.py @@ -4,145 +4,145 @@ import winreg def install(): - #CIS-15500 - Password History - run("net accounts /uniquepw:24") - #CIS-15501 - Maximum password Age - run("net accounts /MAXPWAGE:90") - #CIS-15502 - Minimum password Age - run("net accounts /minpwage:1") - #CIS-15503 - Minimum password Lenght - run("net accounts /MINPWLEN:14") - #CIS-15505 - Relax minimum password length limits - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1") - #CIS-15506 - Account lockout duration - run("net accounts /lockoutduration:15") - #CIS-15507 - Account lockout Threshold - run("net accounts /lockoutthreshold:5") - #CIS-15508 - Reset lockout counter after - run("net accounts /lockoutwindow:15") + # #CIS-15500 - Password History + # run("net accounts /uniquepw:24") + # #CIS-15501 - Maximum password Age + # run("net accounts /MAXPWAGE:90") + # #CIS-15502 - Minimum password Age + # run("net accounts /minpwage:1") + # #CIS-15503 - Minimum password Lenght + # run("net accounts /MINPWLEN:14") + # #CIS-15505 - Relax minimum password length limits + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1") + # #CIS-15506 - Account lockout duration + # run("net accounts /lockoutduration:15") + # #CIS-15507 - Account lockout Threshold + # run("net accounts /lockoutthreshold:5") + # #CIS-15508 - Reset lockout counter after + # run("net accounts /lockoutwindow:15") #CIS-15509 - Administrator account status disabled (fr) #run("net user administrateur /active:no") #CIS-15510 - 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3") + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3") #CIS-15511 - Guest account status disabled (fr) #run("net user Invité /active no") #CIS-15512 - Accounts: Limit local account use of blank passwords to console logon only' registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse","1") #CIS-15513 - Accounts: Rename Administrator Account' (fr) - run("wmic useraccount where name='Administrateur' rename 'comi-adm'") - #CIS-15514 - Accounts: Rename Guest Account' (fr) - run("wmic useraccount where name='Invité' rename 'comiguest'") + # run("wmic useraccount where name='Administrateur' rename 'comi-adm'") + # #CIS-15514 - Accounts: Rename Guest Account' (fr) + # run("wmic useraccount where name='Invité' rename 'comiguest'") #CIS-15515 - Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1") - #CIS-15516 - Audit: Shut down system immediately if unable to log security audits - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0") - #CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2") - #CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1") - #CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1") - #CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. - #CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1") - #CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0") - #CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30") - #CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1") - #CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0") - #CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1") - #CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10") - #CIS-15529 - 'Interactive logon: Message text for users attempting to log on'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeText","Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi.",REG_SZ) - #CIS-15530 - 'Interactive logon: Message title for users attempting to log on'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeCaption","Bienvenue sur un poste COMITARI") - #CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4") - #CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10") - #CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2") - #CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2") - #CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") - #CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0") - #CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15") - #CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1") - #CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") - #CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1") - #CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1") - #CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. - #run("") - #CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1") - #CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1") - #CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1") - #CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0") - #CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. - #run("") - #CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion") - #CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured. - #run("") - #CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1") + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1") + # #CIS-15516 - Audit: Shut down system immediately if unable to log security audits + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0") + # #CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2") + # #CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1") + # #CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1") + # #CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. + # #CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1") + # #CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0") + # #CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30") + # #CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1") + # #CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0") + # #CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1") + # #CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10") + # #CIS-15529 - 'Interactive logon: Message text for users attempting to log on'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeText","Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi.",REG_SZ) + # #CIS-15530 - 'Interactive logon: Message title for users attempting to log on'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeCaption","Bienvenue sur un poste COMITARI") + # #CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''. + # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4") + # #CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10") + # #CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2") + # #CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2") + # #CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") + # #CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0") + # #CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15") + # #CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1") + # #CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") + # #CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1") + # #CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1") + # #CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. + # #run("") + # #CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1") + # #CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1") + # #CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1") + # #CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0") + # #CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. + # #run("") + # #CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured. + # # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion") + # #CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured. + # #run("") + # #CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1") #CIS-15551 - #run("") #CIS-15552 - #run("") - #CIS-15553 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "ForceGuest","0") - #CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "UseMachineId","1") - #CIS - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "allownullsessionfallback","0") - #CIS - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\pku2u", "AllowOnlineID","0") - #CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "NoLMHash","1") - #CIS - Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanManServer\Parameters", "EnableForcedLogOff","1") - #CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel","5") - #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinClientSec","537395200") - #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinServerSec","537395200") - #CIS - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager\Kernel", "ObCaseInsensitive","1") - #CIS - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","1") - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","0") - #CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken","1") - #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","0") - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","1") - #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection","1") - #CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableSecureUIAPaths","0") - #CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA","0") - #CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop","1") - #CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization","1") + # #CIS-15553 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "ForceGuest","0") + # #CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "UseMachineId","1") + # #CIS - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "allownullsessionfallback","0") + # #CIS - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\pku2u", "AllowOnlineID","0") + # #CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "NoLMHash","1") + # #CIS - Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanManServer\Parameters", "EnableForcedLogOff","1") + # #CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel","5") + # #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinClientSec","537395200") + # #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinServerSec","537395200") + # #CIS - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager\Kernel", "ObCaseInsensitive","1") + # #CIS - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. + # # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","1") + # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","0") + # #CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken","1") + # #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation + # # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","0") + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","1") + # #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection","1") + # #CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableSecureUIAPaths","0") + # #CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA","0") + # #CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop","1") + # #CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization","1") #CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\BTAGService", "Start","4") #CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. @@ -173,7 +173,6 @@ def install(): registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2psvc", "Start","4") #CIS - Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2pimsvc", "Start","4") - #CIS - Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PNRPAutoReg", "Start","4") #CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'. @@ -184,7 +183,6 @@ def install(): registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RasAuto", "Start","4") #CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SessionEnv", "Start","4") - #CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\TermService", "Start","4") #CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. @@ -209,9 +207,6 @@ def install(): registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\upnphost", "Start","4") #CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WMSvc", "Start","4") - - - #CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WerSvc", "Start","4") #CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. @@ -226,7 +221,6 @@ def install(): registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PushToInstall", "Start","4") #CIS - Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WinRM", "Start","4") - #CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\W3SVC", "Start","4") #CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. @@ -238,12 +232,12 @@ def install(): #CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4") - #CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. - run("netsh advfirewall set allprofiles state on") - #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. - run('netsh advfirewall firewall add rule name="BlockInbound" dir=in action=block') - #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. - run('netsh advfirewall firewall add rule name="BlockOutbound" dir=out action=allow') + # #CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. + # run("netsh advfirewall set allprofiles state on") + # #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. + # run('netsh advfirewall firewall add rule name="BlockInbound" dir=in action=block') + # #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. + # run('netsh advfirewall firewall add rule name="BlockOutbound" dir=out action=allow') #CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. #run("netsh advfirewall set allprofiles settings notifications off") #CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. @@ -320,20 +314,20 @@ def install(): # # Ensure 'System Integrity' is set to include 'Success'. # run('auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable') - #CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1") - #CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1") - #CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0") - #CIS - Ensure 'Allow Online Tips' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0") - #CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0") - #CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4") - #CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0") + # #CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1") + # #CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1") + # #CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0") + # #CIS - Ensure 'Allow Online Tips' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0") + # #CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0") + # #CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4") + # #CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'. + # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0")