|
|
|
|
@@ -4,144 +4,145 @@ import winreg
|
|
|
|
|
|
|
|
|
|
def install():
|
|
|
|
|
|
|
|
|
|
#CIS-15500 - Password History
|
|
|
|
|
run("net accounts /uniquepw:24")
|
|
|
|
|
#CIS-15501 - Maximum password Age
|
|
|
|
|
run("net accounts /MAXPWAGE:90")
|
|
|
|
|
#CIS-15502 - Minimum password Age
|
|
|
|
|
run("net accounts /minpwage:1")
|
|
|
|
|
#CIS-15503 - Minimum password Lenght
|
|
|
|
|
run("net accounts /MINPWLEN:14")
|
|
|
|
|
#CIS-15505 - Relax minimum password length limits
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1")
|
|
|
|
|
#CIS-15506 - Account lockout duration
|
|
|
|
|
run("net accounts /lockoutduration:15")
|
|
|
|
|
#CIS-15507 - Account lockout Threshold
|
|
|
|
|
run("net accounts /lockoutthreshold:5")
|
|
|
|
|
#CIS-15508 - Reset lockout counter after
|
|
|
|
|
run("net accounts /lockoutwindow:15")
|
|
|
|
|
# #CIS-15500 - Password History
|
|
|
|
|
# run("net accounts /uniquepw:24")
|
|
|
|
|
# #CIS-15501 - Maximum password Age
|
|
|
|
|
# run("net accounts /MAXPWAGE:90")
|
|
|
|
|
# #CIS-15502 - Minimum password Age
|
|
|
|
|
# run("net accounts /minpwage:1")
|
|
|
|
|
# #CIS-15503 - Minimum password Lenght
|
|
|
|
|
# run("net accounts /MINPWLEN:14")
|
|
|
|
|
# #CIS-15505 - Relax minimum password length limits
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1")
|
|
|
|
|
# #CIS-15506 - Account lockout duration
|
|
|
|
|
# run("net accounts /lockoutduration:15")
|
|
|
|
|
# #CIS-15507 - Account lockout Threshold
|
|
|
|
|
# run("net accounts /lockoutthreshold:5")
|
|
|
|
|
# #CIS-15508 - Reset lockout counter after
|
|
|
|
|
# run("net accounts /lockoutwindow:15")
|
|
|
|
|
#CIS-15509 - Administrator account status disabled (fr)
|
|
|
|
|
#run("net user administrateur /active:no")
|
|
|
|
|
#CIS-15510 - 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3")
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3")
|
|
|
|
|
#CIS-15511 - Guest account status disabled (fr)
|
|
|
|
|
#run("net user Invité /active no")
|
|
|
|
|
#CIS-15512 - Accounts: Limit local account use of blank passwords to console logon only'
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse","1")
|
|
|
|
|
#CIS-15513 - Accounts: Rename Administrator Account' (fr)
|
|
|
|
|
run("wmic useraccount where name='Administrateur' rename 'comi-adm'")
|
|
|
|
|
#CIS-15514 - Accounts: Rename Guest Account' (fr)
|
|
|
|
|
run("wmic useraccount where name='Invité' rename 'comiguest'")
|
|
|
|
|
# run("wmic useraccount where name='Administrateur' rename 'comi-adm'")
|
|
|
|
|
# #CIS-15514 - Accounts: Rename Guest Account' (fr)
|
|
|
|
|
# run("wmic useraccount where name='Invité' rename 'comiguest'")
|
|
|
|
|
#CIS-15515 - Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1")
|
|
|
|
|
#CIS-15516 - Audit: Shut down system immediately if unable to log security audits
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0")
|
|
|
|
|
#CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2")
|
|
|
|
|
#CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1")
|
|
|
|
|
#CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1")
|
|
|
|
|
#CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'.
|
|
|
|
|
#CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1")
|
|
|
|
|
#CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0")
|
|
|
|
|
#CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30")
|
|
|
|
|
#CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1")
|
|
|
|
|
#CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0")
|
|
|
|
|
#CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1")
|
|
|
|
|
#CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10")
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1")
|
|
|
|
|
# #CIS-15516 - Audit: Shut down system immediately if unable to log security audits
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0")
|
|
|
|
|
# #CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2")
|
|
|
|
|
# #CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1")
|
|
|
|
|
# #CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1")
|
|
|
|
|
# #CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'.
|
|
|
|
|
# #CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1")
|
|
|
|
|
# #CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0")
|
|
|
|
|
# #CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30")
|
|
|
|
|
# #CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1")
|
|
|
|
|
# #CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0")
|
|
|
|
|
# #CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1")
|
|
|
|
|
# #CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10")
|
|
|
|
|
#CIS-15529 - 'Interactive logon: Message text for users attempting to log on'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeText","Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi.",REG_SZ)
|
|
|
|
|
#CIS-15530 - 'Interactive logon: Message title for users attempting to log on'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeCaption","Bienvenue sur un poste COMITARI")
|
|
|
|
|
#CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4")
|
|
|
|
|
#CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10")
|
|
|
|
|
#CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2")
|
|
|
|
|
#CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2")
|
|
|
|
|
#CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1")
|
|
|
|
|
#CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0")
|
|
|
|
|
#CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15")
|
|
|
|
|
#CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1")
|
|
|
|
|
#CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1")
|
|
|
|
|
#CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1")
|
|
|
|
|
#CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1")
|
|
|
|
|
#CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.
|
|
|
|
|
#run("")
|
|
|
|
|
#CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1")
|
|
|
|
|
#CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1")
|
|
|
|
|
#CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1")
|
|
|
|
|
#CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0")
|
|
|
|
|
#CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'.
|
|
|
|
|
#run("")
|
|
|
|
|
#CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion")
|
|
|
|
|
#CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured.
|
|
|
|
|
#run("")
|
|
|
|
|
#CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1")
|
|
|
|
|
# #CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4")
|
|
|
|
|
# #CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10")
|
|
|
|
|
# #CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2")
|
|
|
|
|
# #CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2")
|
|
|
|
|
# #CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1")
|
|
|
|
|
# #CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0")
|
|
|
|
|
# #CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15")
|
|
|
|
|
# #CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1")
|
|
|
|
|
# #CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1")
|
|
|
|
|
# #CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1")
|
|
|
|
|
# #CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1")
|
|
|
|
|
# #CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.
|
|
|
|
|
# #run("")
|
|
|
|
|
# #CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1")
|
|
|
|
|
# #CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1")
|
|
|
|
|
# #CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1")
|
|
|
|
|
# #CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0")
|
|
|
|
|
# #CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'.
|
|
|
|
|
# #run("")
|
|
|
|
|
# #CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured.
|
|
|
|
|
# # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion")
|
|
|
|
|
# #CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured.
|
|
|
|
|
# #run("")
|
|
|
|
|
# #CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1")
|
|
|
|
|
#CIS-15551 -
|
|
|
|
|
#run("")
|
|
|
|
|
#CIS-15552 -
|
|
|
|
|
#run("")
|
|
|
|
|
#CIS-15553 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "ForceGuest","0")
|
|
|
|
|
#CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "UseMachineId","1")
|
|
|
|
|
#CIS - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "allownullsessionfallback","0")
|
|
|
|
|
#CIS - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\pku2u", "AllowOnlineID","0")
|
|
|
|
|
#CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "NoLMHash","1")
|
|
|
|
|
#CIS - Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanManServer\Parameters", "EnableForcedLogOff","1")
|
|
|
|
|
#CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel","5")
|
|
|
|
|
#CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinClientSec","537395200")
|
|
|
|
|
#CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinServerSec","537395200")
|
|
|
|
|
#CIS - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager\Kernel", "ObCaseInsensitive","1")
|
|
|
|
|
#CIS - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","0")
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableSecureUIAPaths","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop","1")
|
|
|
|
|
#CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization","1")
|
|
|
|
|
# #CIS-15553 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "ForceGuest","0")
|
|
|
|
|
# #CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "UseMachineId","1")
|
|
|
|
|
# #CIS - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "allownullsessionfallback","0")
|
|
|
|
|
# #CIS - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\pku2u", "AllowOnlineID","0")
|
|
|
|
|
# #CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "NoLMHash","1")
|
|
|
|
|
# #CIS - Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanManServer\Parameters", "EnableForcedLogOff","1")
|
|
|
|
|
# #CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel","5")
|
|
|
|
|
# #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinClientSec","537395200")
|
|
|
|
|
# #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinServerSec","537395200")
|
|
|
|
|
# #CIS - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager\Kernel", "ObCaseInsensitive","1")
|
|
|
|
|
# #CIS - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.
|
|
|
|
|
# # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","1")
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","0")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken","1")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation
|
|
|
|
|
# # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","0")
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","1")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection","1")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableSecureUIAPaths","0")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA","0")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop","1")
|
|
|
|
|
# #CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization","1")
|
|
|
|
|
#CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\BTAGService", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.
|
|
|
|
|
@@ -172,7 +173,6 @@ def install():
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2psvc", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2pimsvc", "Start","4")
|
|
|
|
|
|
|
|
|
|
#CIS - Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PNRPAutoReg", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'.
|
|
|
|
|
@@ -183,7 +183,6 @@ def install():
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RasAuto", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SessionEnv", "Start","4")
|
|
|
|
|
|
|
|
|
|
#CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\TermService", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.
|
|
|
|
|
@@ -208,9 +207,6 @@ def install():
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\upnphost", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WMSvc", "Start","4")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WerSvc", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'.
|
|
|
|
|
@@ -225,7 +221,6 @@ def install():
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PushToInstall", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WinRM", "Start","4")
|
|
|
|
|
|
|
|
|
|
#CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\W3SVC", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.
|
|
|
|
|
@@ -237,102 +232,102 @@ def install():
|
|
|
|
|
#CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4")
|
|
|
|
|
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.
|
|
|
|
|
run("netsh advfirewall set allprofiles state on")
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
|
|
|
|
|
run('netsh advfirewall firewall add rule name="BlockInbound" dir=in action=block')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
|
|
|
|
|
run('netsh advfirewall firewall add rule name="BlockOutbound" dir=out action=allow')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.
|
|
|
|
|
# run("netsh advfirewall set allprofiles state on")
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
|
|
|
|
|
# run('netsh advfirewall firewall add rule name="BlockInbound" dir=in action=block')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
|
|
|
|
|
# run('netsh advfirewall firewall add rule name="BlockOutbound" dir=out action=allow')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.
|
|
|
|
|
run("netsh advfirewall set allprofiles settings notifications off")
|
|
|
|
|
#run("netsh advfirewall set allprofiles settings notifications off")
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
|
|
|
|
run(r'netsh advfirewall set domain logging filename "%SystemRoot%\System32\logfiles\firewall\domainfw.log"')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
|
|
|
|
run(r'netsh advfirewall set private logging filename "%SystemRoot%\System32\logfiles\firewall\privatefw.log"')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
|
|
|
|
run(r'netsh advfirewall set public logging filename "%SystemRoot%\System32\logfiles\firewall\publicfw.log"')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'.
|
|
|
|
|
run('netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log allowedconnections 16384')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'.
|
|
|
|
|
run('netsh advfirewall set allprofiles logging droppedpackets enable')
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\DomainProfile\Logging", "LogSuccessfulConnections","1")
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging", "LogSuccessfulConnections","1")
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PublicProfile\Logging", "LogSuccessfulConnections","1")
|
|
|
|
|
#CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.
|
|
|
|
|
run("netsh advfirewall set public settings localconsecrules enforce=no")
|
|
|
|
|
# run(r'netsh advfirewall set domain logging filename "%SystemRoot%\System32\logfiles\firewall\domainfw.log"')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
|
|
|
|
# run(r'netsh advfirewall set private logging filename "%SystemRoot%\System32\logfiles\firewall\privatefw.log"')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
|
|
|
|
# run(r'netsh advfirewall set public logging filename "%SystemRoot%\System32\logfiles\firewall\publicfw.log"')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'.
|
|
|
|
|
# run('netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log allowedconnections 16384')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'.
|
|
|
|
|
# run('netsh advfirewall set allprofiles logging droppedpackets enable')
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\DomainProfile\Logging", "LogSuccessfulConnections","1")
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging", "LogSuccessfulConnections","1")
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PublicProfile\Logging", "LogSuccessfulConnections","1")
|
|
|
|
|
# #CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.
|
|
|
|
|
# run("netsh advfirewall set public settings localconsecrules enforce=no")
|
|
|
|
|
#CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'.
|
|
|
|
|
run('auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Audit Application Group Management' is set to 'Success and Failure'.
|
|
|
|
|
run('auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Audit Security Group Management' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Security Group Management" /success:enable')
|
|
|
|
|
# Ensure 'Audit User Account Management' is set to 'Success and Failure'.
|
|
|
|
|
run('auditpol /set /subcategory:"User Account Management" /success:enable')
|
|
|
|
|
# Ensure 'Plug and Play Events' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Plug and Play Events" /success:enable')
|
|
|
|
|
# Ensure 'Process Creation' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Process Creation" /success:enable')
|
|
|
|
|
# Ensure 'Account Lockout' is set to 'Success and Failure'.
|
|
|
|
|
run('auditpol /set /subcategory:"Account Lockout" /failure:enable')
|
|
|
|
|
# Ensure 'Group Membership' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Group Membership" /success:enable')
|
|
|
|
|
# Ensure 'Logon' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Logon" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Logoff' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Logoff" /success:enable')
|
|
|
|
|
# Ensure 'Other Logon/Logoff Events' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Special Logon' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Special Logon" /success:enable')
|
|
|
|
|
# Ensure 'Detailed File Share' is set to 'Success and Failure'.
|
|
|
|
|
run('auditpol /set /subcategory:"Detailed File Share" /failure:enable')
|
|
|
|
|
# Ensure 'File Share' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"File Share" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Other Object Access Events' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Removable Storage' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Audit Policy Change' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Audit Policy Change" /success:enable')
|
|
|
|
|
# Ensure 'Authentication Policy Change' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Authentication Policy Change" /success:enable')
|
|
|
|
|
# Ensure 'Authorization Policy Change' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Authorization Policy Change" /success:enable')
|
|
|
|
|
# Ensure 'MPSSVC Rule-Level Policy Change' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Other Policy Change Events' is set to 'Success and Failure'.
|
|
|
|
|
run('auditpol /set /subcategory:"Other Policy Change Events" /failure:enable')
|
|
|
|
|
# Ensure 'Sensitive Privilege Use' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'IPsec Driver' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable')
|
|
|
|
|
# run('auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Audit Application Group Management' is set to 'Success and Failure'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Audit Security Group Management' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Security Group Management" /success:enable')
|
|
|
|
|
# # Ensure 'Audit User Account Management' is set to 'Success and Failure'.
|
|
|
|
|
# run('auditpol /set /subcategory:"User Account Management" /success:enable')
|
|
|
|
|
# # Ensure 'Plug and Play Events' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Plug and Play Events" /success:enable')
|
|
|
|
|
# # Ensure 'Process Creation' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Process Creation" /success:enable')
|
|
|
|
|
# # Ensure 'Account Lockout' is set to 'Success and Failure'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Account Lockout" /failure:enable')
|
|
|
|
|
# # Ensure 'Group Membership' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Group Membership" /success:enable')
|
|
|
|
|
# # Ensure 'Logon' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Logon" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Logoff' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Logoff" /success:enable')
|
|
|
|
|
# # Ensure 'Other Logon/Logoff Events' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Special Logon' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Special Logon" /success:enable')
|
|
|
|
|
# # Ensure 'Detailed File Share' is set to 'Success and Failure'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Detailed File Share" /failure:enable')
|
|
|
|
|
# # Ensure 'File Share' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"File Share" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Other Object Access Events' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Removable Storage' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Audit Policy Change' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Audit Policy Change" /success:enable')
|
|
|
|
|
# # Ensure 'Authentication Policy Change' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Authentication Policy Change" /success:enable')
|
|
|
|
|
# # Ensure 'Authorization Policy Change' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Authorization Policy Change" /success:enable')
|
|
|
|
|
# # Ensure 'MPSSVC Rule-Level Policy Change' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Other Policy Change Events' is set to 'Success and Failure'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Other Policy Change Events" /failure:enable')
|
|
|
|
|
# # Ensure 'Sensitive Privilege Use' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'IPsec Driver' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable')
|
|
|
|
|
|
|
|
|
|
# Ensure 'Other System Events' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable')
|
|
|
|
|
# Ensure 'Security State Change' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Security State Change" /success:enable')
|
|
|
|
|
# Ensure 'Security System Extension' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"Security System Extension" /success:enable')
|
|
|
|
|
# Ensure 'System Integrity' is set to include 'Success'.
|
|
|
|
|
run('auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Other System Events' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable')
|
|
|
|
|
# # Ensure 'Security State Change' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Security State Change" /success:enable')
|
|
|
|
|
# # Ensure 'Security System Extension' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"Security System Extension" /success:enable')
|
|
|
|
|
# # Ensure 'System Integrity' is set to include 'Success'.
|
|
|
|
|
# run('auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable')
|
|
|
|
|
|
|
|
|
|
#CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1")
|
|
|
|
|
#CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1")
|
|
|
|
|
#CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0")
|
|
|
|
|
#CIS - Ensure 'Allow Online Tips' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0")
|
|
|
|
|
#CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0")
|
|
|
|
|
#CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4")
|
|
|
|
|
#CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'.
|
|
|
|
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0")
|
|
|
|
|
# #CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1")
|
|
|
|
|
# #CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1")
|
|
|
|
|
# #CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0")
|
|
|
|
|
# #CIS - Ensure 'Allow Online Tips' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0")
|
|
|
|
|
# #CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0")
|
|
|
|
|
# #CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4")
|
|
|
|
|
# #CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'.
|
|
|
|
|
# registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
