diff --git a/setup.py b/setup.py index a9c824c..1d0d552 100644 --- a/setup.py +++ b/setup.py @@ -48,7 +48,6 @@ def install(): configure_windows_services() if enable_configure_windows_event_logging is True : configure_windows_event_logging() - if configure_windows_settings is True : configure_windows_settings() if configure_network_settings is True : @@ -61,7 +60,6 @@ def rename_and_disable_user(old_name, new_name): except subprocess.CalledProcessError: pass - def set_password_requirements(): run('net accounts /maxpwage:365') run('net accounts /minpwage:1') @@ -191,3 +189,95 @@ def configure_network_settings(): registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0) registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0) +def audit(): + successful_checks = 0 + failed_checks = 0 + verify_settings() + nb_checks = successful_checks + failed_checks + ratio = nb_checks / failed_checks + print(f"\nNombre de vérifications réussies : {successful_checks}") + print(f"Nombre de vérifications échouées : {failed_checks}") + print(f"Pourcentage de checks mauvais = {ratio}") + + +def registry_readstring(hive, path, name): + try: + with reg.OpenKey(hive, path) as key: + value, _ = reg.QueryValueEx(key, name) + return value + except FileNotFoundError: + return None + +def check_reg_value(hive, path, name, expected_value): + actual_value = registry_readstring(hive, path, name) + if actual_value == expected_value: + print(f"[OK] {path}\\{name} = {actual_value}") + successful_checks += 1 + else: + print(f"[FAIL] {path}\\{name} = {actual_value} (expected: {expected_value})") + failed_checks += 1 + +def verify_settings(): + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1) + + # Login/logout features + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', 'Authorized users only.') + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', 'Warning') + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900) + + # LANMAN service configuration + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '') + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1) + + # Ensure the MSV1_0 key exists + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0', 'NTLMMinClientSec', 537395200) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0', 'NTLMMinServerSec', 537395200) + + # Ensure the Kerberos key exists + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters', 'SupportedEncryptionTypes', 2147483640) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1) + + # UAC prompt behavior + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1) + + # External device settings + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10) + + # Windows settings + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4) + + # Network settings + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0) + check_reg_value(reg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0)