diff --git a/setup.py b/setup.py index d1be80e..3c6ab44 100644 --- a/setup.py +++ b/setup.py @@ -1,562 +1,196 @@ -# -*- coding: utf-8 -*- -from setuphelpers import * -import winreg -import win32net -import win32security - -def install(): - - - #CIS-15500 - Password History - run("net accounts /uniquepw:24") - #CIS-15501 - Maximum password Age - run("net accounts /MAXPWAGE:90") - #CIS-15502 - Minimum password Age - run("net accounts /minpwage:1") - #CIS-15503 - Minimum password Lenght - run("net accounts /MINPWLEN:14") - # # #CIS-15505 - Relax minimum password length limits - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1") - #CIS-15506 - Account lockout duration - run("net accounts /lockoutduration:15") - #CIS-15507 - Account lockout Threshold - run("net accounts /lockoutthreshold:5") - #CIS-15508 - Reset lockout counter after - run("net accounts /lockoutwindow:15") - - - #CIS-15512 - Accounts: Limit local account use of blank passwords to console logon only' - registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse","1") - #CIS-15510 - 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3") - #CIS-15509 - Administrator account status disabled (fr) - locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1] - sid = win32security.GetBinarySid(locsid + "-500") - admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid) - # #CIS-15513 - Accounts: Rename Administrator Account' (fr) - if admin_local_user == "Administrateur" : - run("wmic useraccount where name='Administrateur' rename 'comi-adm'") - run(r'net user "comi-adm" /active:no') - else: - run(r'net user "comi-adm" /active:no') - #CIS-15511 - Guest account status disabled (fr) - locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1] - sid = win32security.GetBinarySid(locsid + "-501") - guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid) - run(r'net user "%s" /active:no' % guest_local_user) - #CIS-15514 - Accounts: Rename Guest Account' (fr) - if guest_local_user == "Invité" : - run("wmic useraccount where name='Invité' rename 'comiguest'") - run(r'net user "comiguest" /active:no') - else: - run(r'net user "comiguest" /active:no') - - ####TEXTE LEGAL#### - - #CIS-15529 - 'Interactive logon: Message text for users attempting to log on'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeText","Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi.",REG_SZ) - #CIS-15530 - 'Interactive logon: Message title for users attempting to log on'. - registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeCaption","Bienvenue sur un poste COMITARI") - - ####SERVICES#### - - #CIS - Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\BTAGService", "Start","4") - #CIS - Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\bthserv", "Start","4") - #CIS - Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\MapsBroker", "Start","4") - #CIS - Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\lfsvc", "Start","4") - #CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\IISADMIN", "Start","4") - #CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\irmon", "Start","4") - #CIS - Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess", "Start","4") - #CIS - Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\lltdsvc", "Start","4") - #CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LxssManager", "Start","4") - #CIS - Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\MSiSCSI", "Start","4") - #CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\FTPSVC", "Start","4") - #CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\sshd", "Start","4") - #CIS - Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PNRPsvc", "Start","4") - #CIS - Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2psvc", "Start","4") - #CIS - Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2pimsvc", "Start","4") - #CIS - Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PNRPAutoReg", "Start","4") - #CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\Spooler", "Start","4") - #CIS - Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\wercplsupport", "Start","4") - #CIS - Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RasAuto", "Start","4") - #CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SessionEnv", "Start","4") - #CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\TermService", "Start","4") - #CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\UmRdpService", "Start","4") - #CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RpcLocator", "Start","4") - #CIS - Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RemoteRegistry", "Start","4") - #CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RemoteAccess", "Start","4") - #CIS - Ensure 'Server (LanmanServer)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer", "Start","4") - #CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\simptcp", "Start","4") - #CIS - Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SNMP", "Start","4") - #CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\sacsvr", "Start","4") - #CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SSDPSRV", "Start","4") - #CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\upnphost", "Start","4") - #CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WMSvc", "Start","4") - #CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WerSvc", "Start","4") - #CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\Wecsvc", "Start","4") - #CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WMPNetworkSvc", "Start","4") - #CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\icssvc", "Start","4") - #CIS - Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WpnService", "Start","4") - #CIS - Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PushToInstall", "Start","4") - #CIS - Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WinRM", "Start","4") - #CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\W3SVC", "Start","4") - #CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxGipSvc", "Start","4") - #CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XblAuthManager", "Start","4") - #CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XblGameSave", "Start","4") - #CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4") - - ####AUDITPOL#### - - run('auditpol /set /subcategory:"Validation des informations d’identification" /success:enable /failure:enable') - # # Ensure 'Audit Application Group Management' is set to 'Success and Failure'. - run('auditpol /set /subcategory:"Gestion des groupes d’applications" /success:enable /failure:enable') - # # Ensure 'Audit Security Group Management' is set to include 'Success'. - run('auditpol /set /subcategory:"Gestion des groupes de sécurité" /success:enable') - # # Ensure 'Audit User Account Management' is set to 'Success and Failure'. - run('auditpol /set /subcategory:"Gestion des comptes d’utilisateur" /success:enable') - # # Ensure 'Plug and Play Events' is set to include 'Success'. - run('auditpol /set /subcategory:"Événements Plug-and-Play" /success:enable') - # # Ensure 'Process Creation' is set to include 'Success'. - run('auditpol /set /subcategory:"Création du processus" /success:enable') - # # Ensure 'Account Lockout' is set to 'Success and Failure'. - run('auditpol /set /subcategory:"Verrouillage du compte" /failure:enable') - # # Ensure 'Group Membership' is set to include 'Success'. - run('auditpol /set /subcategory:"Appartenance à un groupe" /success:enable') - # # Ensure 'Logon' is set to include 'Success'. - run('auditpol /set /subcategory:"Ouvrir la session" /success:enable /failure:enable') - # # Ensure 'Logoff' is set to include 'Success'. - run('auditpol /set /subcategory:"Fermer la session" /success:enable') - # # Ensure 'Other Logon/Logoff Events' is set to include 'Success'. - run('auditpol /set /subcategory:"Autres événements d’ouverture/fermeture de session" /success:enable /failure:enable') - # # Ensure 'Special Logon' is set to include 'Success'. - run('auditpol /set /subcategory:"Ouverture de session spéciale" /success:enable') - # # Ensure 'Detailed File Share' is set to 'Success and Failure'. - run('auditpol /set /subcategory:"Partage de fichiers détaillé" /failure:enable') - # # Ensure 'File Share' is set to include 'Success'. - run('auditpol /set /subcategory:"Partage de fichiers" /success:enable /failure:enable') - # # Ensure 'Other Object Access Events' is set to include 'Success'. - run('auditpol /set /subcategory:"Autres événements d’accès à l’objet" /success:enable /failure:enable') - # # Ensure 'Removable Storage' is set to include 'Success'. - run('auditpol /set /subcategory:"Stockage amovible" /success:enable /failure:enable') - # # Ensure 'Audit Policy Change' is set to include 'Success'. - run('auditpol /set /subcategory:"Modification de la stratégie d’audit" /success:enable') - # # Ensure 'Authentication Policy Change' is set to include 'Success'. - run('auditpol /set /subcategory:"Modification de la stratégie d’authentification" /success:enable') - # # Ensure 'Authorization Policy Change' is set to include 'Success'. - run('auditpol /set /subcategory:"Modification de la stratégie d’autorisation" /success:enable') - # # Ensure 'MPSSVC Rule-Level Policy Change' is set to include 'Success'. - run('auditpol /set /subcategory:"Modification de la stratégie de niveau règle MPSSVC" /success:enable /failure:enable') - # # Ensure 'Other Policy Change Events' is set to 'Success and Failure'. - run('auditpol /set /subcategory:"Autres événements de modification de stratégie" /failure:enable') - # # Ensure 'Sensitive Privilege Use' is set to include 'Success'. - run('auditpol /set /subcategory:"Utilisation de privilèges sensibles" /success:enable /failure:enable') - # # Ensure 'IPsec Driver' is set to include 'Success'. - run('auditpol /set /subcategory:"Pilote IPSEC" /success:enable /failure:enable') - # # Ensure 'Other System Events' is set to include 'Success'. - run('auditpol /set /subcategory:"Autres événements système" /success:enable /failure:enable') - # # Ensure 'Security State Change' is set to include 'Success'. - run('auditpol /set /subcategory:"Modification de l’état de la sécurité" /success:enable') - # # Ensure 'Security System Extension' is set to include 'Success'. - run('auditpol /set /subcategory:"Extension système de sécurité" /success:enable') - # # Ensure 'System Integrity' is set to include 'Success'. - run('auditpol /set /subcategory:"Intégrité du système" /success:enable /failure:enable') - - #CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1") - #CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1") - #CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0") - #CIS - Ensure 'Allow Online Tips' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0") - #CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0") - #CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4") - #CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0") - -####FIREWALL#### - - # #CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. - run("netsh advfirewall set allprofiles state on") - #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. - run('netsh advfirewall firewall add rule name="Block All Inbound Connections" dir=in action=block') - #CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile", "DisableNotifications","1") - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile", "DisableNotifications","1") - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile", "DisableNotifications","1") - #CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging", "LogFilePath",r"System32\logfiles\firewall\domainfw.log") - # #CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging", "LogFilePath",r"System32\logfiles\firewall\privatefw.log") - # #CIS - Ensure 'Windows Firewall: public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging", "LogFilePath",r"System32\logfiles\firewall\publicfw.log") - # #CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging", "LogFileSize","16384") - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging", "LogFileSize","16384") - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging", "LogFileSize","16384") - # #CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'. - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging", "LogDroppedPackets","1") - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging", "LogDroppedPackets","1") - registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging", "LogDroppedPackets","1") - # #CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging", "LogSuccessfulConnections","1") - # #CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging", "LogSuccessfulConnections","1") - # #CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging", "LogSuccessfulConnections","1") - # #CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile", "AllowLocalIPsecPolicyMerge","0") - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile", "AllowLocalPolicyMerge","0") - -####Windows Terminal Services#### - - #Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "DisablePasswordSaving","1") - #Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDenyTSConnections","1") - #Ensure 'Allow UI Automation redirection' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "EnableUiaRedirection","0") - #Ensure 'Do not allow COM port redirection' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableCcm","1") - #Ensure 'Do not allow drive redirection' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableCdm","1") - #Ensure 'Do not allow location redirection' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableLocationRedir","1") - #Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableLPT","1") - #Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisablePNPRedir","1") - #Ensure 'Always prompt for password upon connection' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fPromptForPassword","1") - #Ensure 'Require secure RPC communication' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fEncryptRPCTraffic","1") - #Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "SecurityLayer","2") - #Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "UserAuthentication","1") - #Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "MinEncryptionLevel","3") - #Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "MaxIdleTime","800000") - #Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "MaxDisconnectionTime","60000") - #Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "DeleteTempDirsOnExit","1") - -####Windows Search#### - - #Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowCloudSearch","0") - #Ensure 'Allow Cortana' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowCortana","0") - #Ensure 'Allow Cortana above lock screen' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowCortanaAboveLock","0") - #Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowIndexingEncryptedStoresOrItems","0") - #Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowSearchToUseLocation","0") - -####Windows Store#### - - #Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "DisableStoreApps","1") - #Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "RequirePrivateStoreOnly","1") - #Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "AutoDownload","4") - #Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "DisableOSUpgrade","1") - #Ensure 'Turn off the Store application' is set to 'Enabled'. - registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "RemoveWindowsStore","1") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -################################################################## - #CIS-15515 - Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1") - # #CIS-15516 - Audit: Shut down system immediately if unable to log security audits - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0") - # #CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2") - # #CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1") - # #CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1") - # #CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. - # #CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1") - # #CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0") - # #CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30") - # #CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1") - # #CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0") - # #CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1") - # #CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10") - - - - - # #CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''. - # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4") - # #CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10") - # #CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2") - # #CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2") - # #CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") - # #CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0") - # #CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15") - # #CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1") - # #CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1") - # #CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1") - # #CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1") - # #CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. - # #run("") - # #CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1") - # #CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1") - # #CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1") - # #CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0") - # #CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. - # #run("") - # #CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured. - # # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion") - # #CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured. - # #run("") - # #CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1") - #CIS-15551 - - #run("") - #CIS-15552 - - #run("") - # #CIS-15553 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "ForceGuest","0") - # #CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "UseMachineId","1") - # #CIS - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "allownullsessionfallback","0") - # #CIS - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\pku2u", "AllowOnlineID","0") - # #CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "NoLMHash","1") - # #CIS - Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanManServer\Parameters", "EnableForcedLogOff","1") - # #CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel","5") - # #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinClientSec","537395200") - # #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinServerSec","537395200") - # #CIS - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager\Kernel", "ObCaseInsensitive","1") - # #CIS - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. - # # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","1") - # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","0") - # #CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken","1") - # #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation - # # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","0") - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","1") - # #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection","1") - # #CIS - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableSecureUIAPaths","0") - # #CIS - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA","0") - # #CIS - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop","1") - # #CIS - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. - # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization","1") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# -*- coding: utf-8 -*- +from setuphelpers import * +import subprocess +import winreg as reg + + +LocalAdministrator = "LocalAdministrator" +LocalGuest = "LocalGuest" +LegalNoticeText = "Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi." +LegalNoticeCaption = "Bienvenue sur un poste COMITARI" + +enable_rename_and_disable_user = False +enable_set_password_requirements = False +enable_configure_login_logout_features = False +enable_configure_lanman_service = False +enable_configure_uac_prompt_behavior = False +enable_configure_external_device_settings = False +enable_configure_windows_services = False +enable_configure_windows_event_logging = False +enable_configure_windows_settings = False +enable_configure_network_settings = False + + +def install(): + + #Trouver le compte Built-in Administrator + locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1] + sid = win32security.GetBinarySid(locsid + "-500") + admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid) + + #Trouver le compte Built-in Guest + locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1] + sid = win32security.GetBinarySid(locsid + "-501") + guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid) + + + if enable_rename_and_disable_user is True : + rename_and_disable_user(admin_local_user, LocalAdministrator) + rename_and_disable_user(guest_local_user, LocalGuest) + if enable_set_password_requirements is True : + set_password_requirements() + if enable_configure_login_logout_features is True : + configure_login_logout_features() + if enable_configure_lanman_service is True : + configure_lanman_service() + if enable_configure_uac_prompt_behavior is True : + configure_uac_prompt_behavior() + if enable_configure_external_device_settings is True : + configure_external_device_settings() + if enable_configure_windows_services is True : + configure_windows_services() + if enable_configure_windows_event_logging is True : + configure_windows_event_logging() + + if configure_windows_settings is True : + configure_windows_settings() + if configure_network_settings is True : + configure_network_settings() + +def rename_and_disable_user(old_name, new_name): + try: + run(f'wmic useraccount where name="{old_name}" rename {new_name}', check=True) + run(f'wmic useraccount where name="{new_name}" set disabled=true', check=True) + except subprocess.CalledProcessError: + pass + + +def set_password_requirements(): + run('net accounts /maxpwage:365') + run('net accounts /minpwage:1') + run('net accounts /minpwlen:14') + run('net accounts /forcelogoff:15') + run('net accounts /uniquepw:24') + run('net accounts /lockoutthreshold:5') + run('net accounts /lockoutduration:15') + run('net accounts /lockoutwindow:15') + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1) + +def configure_login_logout_features(): + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', LegalNoticeText) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', LegalNoticeText) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900) + +def configure_lanman_service(): + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '') + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1) + + # Ensure the MSV1_0 key exists + msv_path = r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' + if not reg.QueryValueEx(msv_path): + reg.CreateKey(reg.HKEY_LOCAL_MACHINE, msv_path) + + registry_set(msv_path, 'NTLMMinClientSec', 537395200) + registry_set(msv_path, 'NTLMMinServerSec', 537395200) + + # Ensure the Kerberos key exists + kerberos_path = r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' + if not reg.QueryValueEx(kerberos_path): + reg.CreateKey(reg.HKEY_LOCAL_MACHINE, kerberos_path) + + registry_set(HKEY_LOCAL_MACHINE,kerberos_path, 'SupportedEncryptionTypes', 2147483640) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1) + +def configure_uac_prompt_behavior(): + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1) + +def configure_external_device_settings(): + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10) + +def configure_windows_services(): + services_to_disable = [ + "BTAGService", "bthserv", "MapsBroker", "SharedAccess", "lltdsvc", + "LxssManager", "MSiSCSI", "PNRPsvc", "p2psvc", "p2pimsvc", "PNRPAutoReg", + "Spooler", "wercplsupport", "RasAuto", "SessionEnv", "UmRdpService", + "TermService", "RpcLocator", "LanmanServer", "upnphost", "SSDPSRV", + "WerSvc", "Wecsvc", "WMPNetworkSvc", "icssvc", "WpnService", + "PushToInstall", "WinRM", "XboxGipSvc", "XblAuthManager", "XblGameSave", "XboxNetApiSvc" + ] + + for service in services_to_disable: + run(f'sc config {service} start= disabled') + run(f'net stop {service}') + +def configure_windows_event_logging(): + auditpol_commands = [ + 'auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /failure:enable', + 'auditpol /set /subcategory:{0CCE9249-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030} /failure:enable', + 'auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /failure:enable', + 'auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + 'auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable', + 'auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable', + ] + + for command in auditpol_commands: + run(command) + +def configure_windows_settings(): + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4) + +def configure_network_settings(): + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0) + registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0) +