salut les copains

.env

@@ -0,0 +1,2 @@
+VIRTUAL_ENV=C:\Program Files (x86)\wapt\
+PYTHONPATH=C:\Program Files (x86)\wapt\

.vscode/launch.json

@@ -0,0 +1,132 @@
+{
+    "version": "0.2.4",
+    "configurations": [
+        {
+            "name": "WAPT: install",
+            "type": "python",
+            "request": "launch",
+            "justMyCode": false,
+            "program": "${config:python.wapt-get}",
+            "args": [
+                "install",
+                "--no-ide",
+                "${workspaceFolder}"
+            ],
+            "console": "integratedTerminal",
+            "linux": {
+                "sudo": true
+            },
+            "osx": {
+                "sudo": true
+            },
+            "python": "${command:python.interpreterPath}",
+            "pythonArgs": [
+                "-I"
+            ]
+        },
+        {
+            "name": "WAPT: remove",
+            "type": "python",
+            "request": "launch",
+            "justMyCode": false,
+            "program": "${config:python.wapt-get}",
+            "args": [
+                "remove",
+                "--no-ide",
+                "${workspaceFolder}"
+            ],
+            "console": "integratedTerminal",
+            "linux": {
+                "sudo": true
+            },
+            "osx": {
+                "sudo": true
+            },
+            "python": "${command:python.interpreterPath}",
+            "pythonArgs": [
+                "-I"
+            ]
+        },
+        {
+            "name": "WAPT: uninstall",
+            "type": "python",
+            "request": "launch",
+            "justMyCode": false,
+            "program": "${config:python.wapt-get}",
+            "args": [
+                "uninstall",
+                "--no-ide",
+                "${workspaceFolder}"
+            ],
+            "console": "integratedTerminal",
+            "linux": {
+                "sudo": true
+            },
+            "osx": {
+                "sudo": true
+            },
+            "python": "${command:python.interpreterPath}",
+            "pythonArgs": [
+                "-I"
+            ]
+        },
+        {
+            "name": "WAPT: session-setup",
+            "type": "python",
+            "request": "launch",
+            "justMyCode": false,
+            "program": "${config:python.wapt-get}",
+            "args": [
+                "session-setup",
+                "--no-ide",
+                "${workspaceFolder}"
+            ],
+            "console": "integratedTerminal",
+            "python": "${command:python.interpreterPath}",
+            "pythonArgs": [
+                "-I"
+            ]
+        },
+        {
+            "name": "WAPT: audit",
+            "type": "python",
+            "request": "launch",
+            "justMyCode": false,
+            "program": "${config:python.wapt-get}",
+            "args": [
+                "audit",
+                "-f",
+                "--no-ide",
+                "${workspaceFolder}"
+            ],
+            "console": "integratedTerminal",
+            "linux": {
+                "sudo": true
+            },
+            "osx": {
+                "sudo": true
+            },
+            "python": "${command:python.interpreterPath}",
+            "pythonArgs": [
+                "-I"
+            ]
+        },
+        {
+            "name": "WAPT: update-package",
+            "type": "python",
+            "request": "launch",
+            "justMyCode": false,
+            "program": "${config:python.wapt-get}",
+            "args": [
+                "update-package-sources",
+                "--no-ide",
+                "${workspaceFolder}"
+            ],
+            "console": "integratedTerminal",
+            "python": "${command:python.interpreterPath}",
+            "pythonArgs": [
+                "-I"
+            ]
+        }
+    ]
+}

.vscode/settings.json

@@ -0,0 +1,13 @@
+{
+	"python.defaultInterpreterPath": "C:\\Program Files (x86)\\wapt\\Scripts\\python.exe",
+	"python.pythonPath": "C:\\Program Files (x86)\\wapt\\Scripts\\python.exe",
+	"python.wapt-get": "C:\\Program Files (x86)\\wapt\\wapt-get.py",
+	"python.formatting.provider": "black",
+	"python.formatting.blackArgs": 
+	[
+		"--line-length",
+		"150"
+	],
+	"editor.insertSpaces": true,
+	"files.eol": "\n"
+}

WAPT/certificate.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIUSsaILn1scDCUhHvihORUTceVhO8wDQYJKoZIhvcNAQEL
+BQAwJDELMAkGA1UEBhMCRlIxFTATBgNVBAMMDGdnZW5kcm9uX3BlbTAeFw0yMzEx
+MDgwODM0MjhaFw0zMzExMDUwODM0MjhaMCQxCzAJBgNVBAYTAkZSMRUwEwYDVQQD
+DAxnZ2VuZHJvbl9wZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj
+Qt/K76QyhKl8ulRmnrCSRnD3UyHBmgAxSDml14sVxuyjVE+WW3umCqrJ2/QL2Sqy
+DbxiBeexaaVSM15pKcsHQSGnCy762IjBhJIc9iW1QxNi1z/BivBVmAZRmM12IsKj
+VeVs5oKpHjO5Uw2R+/MKkqg/9rNk3MQNA44YcFIz4RSfU5IElKU3CwzYFPwdRBSv
+Sjf+onG4MkbEbL7B0axeMsKYZ2gxyuU9H73eUwWXgs2ICUu0wlyzKil1jJabKlEr
+vREIvt+TL1hUFVLzbADgQPmZhCC2aylzdiYlwaKgNUmwEOip3JpZe0ay8XkIhH2O
+H0i5RzPHD0FJae1Og9J7AgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFIJMVc1b++36XjWfjFhF+5AfxigaMA4GA1UdDwEB/wQEAwIB1jAdBgNVHSUE
+FjAUBggrBgEFBQcDAgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAJkDZMAN
+7aI3TPEXKAHWFBI25+CkV1OL+/NIhgdI3JVvu3rQ2iUcFS08+7rMa555OT3YjTFJ
+4Cm0onhdXhVS0ENjvlfm2gWoD5t9SP9ZN4t1K19PDY6SCAqV79pYu2KfuHRXhmSZ
+2p/tS1i01dkulJ49AKZNSp3BJ3xThL5oJHHOMgF5msRjZHBMRPsz3HgksaKzn3TE
+fzyJ2/izHvTzllez7Ns90eVGPKMvZtZDSq+YpAhVSb6Fn46WVS2Z6Ce3GfRUiN6b
+RJ4IQ6a+JhTgjJR6XJFQcmfDWFyzHjajd8OhbLuQjTIaiHyYcUNB9oZeyonMZ4ea
+5MedsXgtUISHfhs=
+-----END CERTIFICATE-----

WAPT/control

@@ -0,0 +1,44 @@
+package           : comi-hardening
+version           : 1.0-27
+architecture      : all
+section           : base
+priority          : optional
+name              : comi-hardening
+categories        : System and network
+maintainer        : ComiTeam
+description       : Audit FreeSpace
+depends           : 
+conflicts         : 
+maturity          : PROD
+locale            : all
+target_os         : all
+min_wapt_version  : 2.0
+sources           : 
+installed_size    : 
+impacted_process  : 
+description_fr    : 
+description_pl    : 
+description_de    : 
+description_es    : 
+description_pt    : 
+description_it    : 
+description_nl    : 
+description_ru    : 
+audit_schedule    : 24h
+editor            : 
+keywords          : 
+licence           : 
+homepage          : 
+package_uuid      : c22cf383-0757-4e5c-a435-a106c9436a67
+valid_from        : 
+valid_until       : 
+forced_install_on : 
+changelog         : 
+min_os_version    : 
+max_os_version    : 
+icon_sha256sum    : 0c223120ac1a6e4cd0d0abe04cd831c7d4a4c2661947e758c0f703b656933d9a
+signer            : ggendron_pem
+signer_fingerprint: 244cdf15fa2ea3ead58e4abf232fdf9a30a8a28a798677f71d6a3e76e65f9003
+signature_date    : 2024-06-04T08:22:30.000000
+signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
+signature         : k79PfM1q5/RfSc76KYGSJsdqo4Q2+ciYTqSRQUjc+Ofv5ee2Opskx2QpcdG9uBtPZ6oXu5RUPryUdJyKTf075RtFUfi5uy95bhpGY2xOxabp1stOQdOBFiNsI44Wp6tCVTStKpmiJC5Vg4PBAUF4ImKKhvlpwmOi8yhfAWpXVk2trGf9pwyaEyTGIouL08dF6EpymmyvWYWCCcP4NQr7yellItIWccK8njqsyTUMibEXLbYu1ByCuvXfs05RQ3c5s42cfg6BpLLFUx8VYRtGJbXsn1NNHLH9K0uB+0cxdX8Fru/5ywEgylNfjA2hvIUgcM4jFGYL9epkTWsw++l1JA==

WAPT/manifest.sha256

@@ -0,0 +1 @@
+[[".env","720b2be3b2d977425b68892f478262e7d3f764ca56c86e4d6aa2f639ea3dd214"],[".vscode/launch.json","9ff21f1f15e3057effdd1caf2481307e82ee2a0d2aaf701a46b2ab1e99241ef4"],[".vscode/settings.json","cb5120747ed4bf6fe55c466ffd3951f294fa25c8969ddee919738110eb1ad6c4"],["README.CSV","22dd78a4853cb10c91896d896adb761a757f190e6dce0462ff3ed43cedb56237"],["WAPT/certificate.crt","68194bca04eef7aaf4dc3c3bd12b017a1263bb5fcc034919fc7edda0c62db266"],["WAPT/control","a53424d087036c1e4c6ff527408efa8f34d04707b72b10f39dc34ba624ccfee6"],["WAPT/icon.png","0c223120ac1a6e4cd0d0abe04cd831c7d4a4c2661947e758c0f703b656933d9a"],["WAPT/wapt.psproj","e143a00662731c3aaaf1fbf9d63cc6c55d6bc9a20769aff83c62734dfd1a1477"],["__pycache__",""],["setup.py","36ec8be4c525ab82575753383ce76ead5efab81a13daec8f3bfb2e11458d0e10"]]

WAPT/signature.sha256

@@ -0,0 +1 @@
+jcmGI80D0tUBoJad+H0Jqfo5NkIDSaAbBhmE7AtHl6/oRYDl/M6IMYYp1tyPXtZOKXXmpqGm0J0hSPE/djfjl7w+42+I++2hrh9RdKMetG/SefBgF//pyBsZe5IyYrtZe1Z/OYcQtyl4abIhNaup5vQMAc49W8SIZ9pPC4cFTK230+J+5AJo0yPJMjC5HlgN/MuMUpmskT5n3tIaPj9OBIG2h5YcW3mFM79RlqOE9cXVzfCYFXZD8CQJDKapJ79cLa+dThslmrkiI7WdMITY/18GHRVIdlERxBE9gkP+KIxQfTiFFLJJ03HzPw1GtLl/7ocY7hDKe9rneKkKUcnujA==

WAPT/wapt.psproj

@@ -0,0 +1,217 @@
+[PyScripter]
+Version=3.6.4.0
+
+[Project]
+ClassName=TProjectRootNode
+StoreRelativePaths=TRUE
+ShowFileExtensions=FALSE
+
+[Project\ChildNodes\Node0]
+ClassName=TProjectFilesNode
+
+[Project\ChildNodes\Node0\ChildNodes\Node0]
+ClassName=TProjectFolderNode
+Name=wapt
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node0]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\common.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node1]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\setuphelpers.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node2]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\setuphelpers_linux.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node3]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\setuphelpers_macos.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node4]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\setuphelpers_unix.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node5]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\setuphelpers_windows.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node6]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\wapt-get.ini
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node7]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\wapt-get.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes\Node8]
+ClassName=TProjectFileNode
+FileName=C:\Program Files (x86)\wapt\waptpackage.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node0\ChildNodes]
+Count=9
+
+[Project\ChildNodes\Node0\ChildNodes\Node1]
+ClassName=TProjectFileNode
+FileName=$[Project-Path]changelog.txt
+
+[Project\ChildNodes\Node0\ChildNodes\Node2]
+ClassName=TProjectFileNode
+FileName=$[Project-Path]control
+
+[Project\ChildNodes\Node0\ChildNodes\Node3]
+ClassName=TProjectFileNode
+FileName=$[Project-Path]..\setup.py
+
+[Project\ChildNodes\Node0\ChildNodes\Node4]
+ClassName=TProjectFileNode
+FileName=$[Project-Path]..\update_package.py
+
+[Project\ChildNodes\Node0\ChildNodes]
+Count=5
+
+[Project\ChildNodes\Node1]
+ClassName=TProjectRunConfiguationsNode
+
+[Project\ChildNodes\Node1\ChildNodes\Node0]
+ClassName=TProjectRunConfiguationNode
+Name=WAPT: install
+
+[Project\ChildNodes\Node1\ChildNodes\Node0\RunConfig]
+ScriptName=C:\Program Files (x86)\wapt\wapt-get.py
+Description=Launch package installation.
+EngineType=peRemote
+ReinitializeBeforeRun=TRUE
+Parameters=install "$[Project-Path].."
+WorkingDir=$[Project-Path]..
+WriteOutputToFile=FALSE
+OutputFileName=$[ActiveScript-NoExt].log
+AppendToFile=FALSE
+
+[Project\ChildNodes\Node1\ChildNodes\Node0\RunConfig\ExternalRun]
+Caption=External Run
+Description=Run script using an external Python Interpreter
+ApplicationName=$[PythonExe-Short]
+Parameters=$[ActiveScript-Short]
+WorkingDirectory=$[ActiveScript-Dir]
+
+[Project\ChildNodes\Node1\ChildNodes\Node1]
+ClassName=TProjectRunConfiguationNode
+Name=WAPT: remove
+
+[Project\ChildNodes\Node1\ChildNodes\Node1\RunConfig]
+ScriptName=C:\Program Files (x86)\wapt\wapt-get.py
+Description=Launch uninstallation (the uninstallation code found in local wapt database, remember to launch after an installation).
+EngineType=peRemote
+ReinitializeBeforeRun=TRUE
+Parameters=remove "$[Project-Path].."
+WorkingDir=$[Project-Path]..
+WriteOutputToFile=FALSE
+OutputFileName=$[ActiveScript-NoExt].log
+AppendToFile=FALSE
+
+[Project\ChildNodes\Node1\ChildNodes\Node1\RunConfig\ExternalRun]
+Caption=External Run
+Description=Run script using an external Python Interpreter
+ApplicationName=$[PythonExe-Short]
+Parameters=$[ActiveScript-Short]
+WorkingDirectory=$[ActiveScript-Dir]
+
+[Project\ChildNodes\Node1\ChildNodes\Node2]
+ClassName=TProjectRunConfiguationNode
+Name=WAPT: uninstall
+
+[Project\ChildNodes\Node1\ChildNodes\Node2\RunConfig]
+ScriptName=C:\Program Files (x86)\wapt\wapt-get.py
+Description=Launch uninstallation code (for debugging purpose, it only runs the code of uninstall function).
+EngineType=peRemote
+ReinitializeBeforeRun=TRUE
+Parameters=uninstall "$[Project-Path].."
+WorkingDir=$[Project-Path]..
+WriteOutputToFile=FALSE
+OutputFileName=$[ActiveScript-NoExt].log
+AppendToFile=FALSE
+
+[Project\ChildNodes\Node1\ChildNodes\Node2\RunConfig\ExternalRun]
+Caption=External Run
+Description=Run script using an external Python Interpreter
+ApplicationName=$[PythonExe-Short]
+Parameters=$[ActiveScript-Short]
+WorkingDirectory=$[Project-Path]..
+
+[Project\ChildNodes\Node1\ChildNodes\Node3]
+ClassName=TProjectRunConfiguationNode
+Name=WAPT: session-setup
+
+[Project\ChildNodes\Node1\ChildNodes\Node3\RunConfig]
+ScriptName=C:\Program Files (x86)\wapt\wapt-get.py
+Description=Launch session-setup (it runs directly as current user).
+EngineType=peRemote
+ReinitializeBeforeRun=TRUE
+Parameters=session-setup "$[Project-Path].."
+WorkingDir=$[Project-Path]..
+WriteOutputToFile=FALSE
+OutputFileName=$[ActiveScript-NoExt].log
+AppendToFile=FALSE
+
+[Project\ChildNodes\Node1\ChildNodes\Node3\RunConfig\ExternalRun]
+Caption=External Run
+Description=Run script using an external Python Interpreter
+ApplicationName=$[PythonExe-Short]
+Parameters=$[ActiveScript-Short]
+WorkingDirectory=$[ActiveScript-Dir]
+
+[Project\ChildNodes\Node1\ChildNodes\Node4]
+ClassName=TProjectRunConfiguationNode
+Name=WAPT: audit
+
+[Project\ChildNodes\Node1\ChildNodes\Node4\RunConfig]
+ScriptName=C:\Program Files (x86)\wapt\wapt-get.py
+Description=Launch package audit.
+EngineType=peRemote
+ReinitializeBeforeRun=TRUE
+Parameters=audit -f "$[Project-Path].."
+WorkingDir=$[Project-Path]..
+WriteOutputToFile=FALSE
+OutputFileName=$[ActiveScript-NoExt].log
+AppendToFile=FALSE
+
+[Project\ChildNodes\Node1\ChildNodes\Node4\RunConfig\ExternalRun]
+Caption=External Run
+Description=Run script using an external Python Interpreter
+ApplicationName=$[PythonExe-Short]
+Parameters=$[ActiveScript-Short]
+WorkingDirectory=$[ActiveScript-Dir]
+
+[Project\ChildNodes\Node1\ChildNodes\Node5]
+ClassName=TProjectRunConfiguationNode
+Name=WAPT: update-package
+
+[Project\ChildNodes\Node1\ChildNodes\Node5\RunConfig]
+ScriptName=C:\Program Files (x86)\wapt\wapt-get.py
+Description=Launch update_package (it usually serve to update binaries of the package).
+EngineType=peRemote
+ReinitializeBeforeRun=TRUE
+Parameters=update-package-sources "$[Project-Path].."
+WorkingDir=$[Project-Path]..
+WriteOutputToFile=FALSE
+OutputFileName=$[ActiveScript-NoExt].log
+AppendToFile=FALSE
+
+[Project\ChildNodes\Node1\ChildNodes\Node5\RunConfig\ExternalRun]
+Caption=External Run
+Description=Run script using an external Python Interpreter
+ApplicationName=$[PythonExe-Short]
+Parameters=$[ActiveScript-Short]
+WorkingDirectory=$[ActiveScript-Dir]
+
+[Project\ChildNodes\Node1\ChildNodes]
+Count=6
+
+[Project\ChildNodes]
+Count=2
+
+[Project\ExtraPythonPath]
+Count=0
+

setup.py

@@ -1,222 +1,562 @@
-# -*- coding: utf-8 -*-
-from setuphelpers import *
-
-
-LocalAdministrator = "LocalAdministrator"
-LocalGuest = "LocalGuest"
-LegalNoticeText = "Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi."
-LegalNoticeCaption = "Bienvenue sur un poste COMITARI"
-
-enable_rename_and_disable_user = False
-enable_set_password_requirements = False
-enable_configure_login_logout_features = False
-enable_configure_lanman_service = False
-enable_configure_uac_prompt_behavior = False
-enable_configure_external_device_settings = False
-enable_configure_windows_services = False
-enable_configure_windows_event_logging = False
-enable_configure_windows_settings = False
-enable_configure_network_settings = False
-
-
-def install():
-
-    #Trouver le compte Built-in Administrator
-    locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
-    sid = win32security.GetBinarySid(locsid + "-500")
-    admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
-
-    #Trouver le compte Built-in Guest
-    locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
-    sid = win32security.GetBinarySid(locsid + "-501")
-    guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
-
-
-    if enable_rename_and_disable_user is True :
-        rename_and_disable_user(admin_local_user, LocalAdministrator)
-        rename_and_disable_user(guest_local_user, LocalGuest)
-    if enable_set_password_requirements is True :
-        set_password_requirements()
-    if enable_configure_login_logout_features is True :
-        configure_login_logout_features()
-    if enable_configure_lanman_service is True :
-        configure_lanman_service()
-    if enable_configure_uac_prompt_behavior is True :
-        configure_uac_prompt_behavior()
-    if enable_configure_external_device_settings is True :
-        configure_external_device_settings()
-    if enable_configure_windows_services is True :
-        configure_windows_services()
-    if enable_configure_windows_event_logging is True :
-        if get_language() is "en" :
-            configure_windows_event_logging_en()
-        if get_language() is "fr" :
-            configure_windows_event_logging_fr()
-
-    if configure_windows_settings is True :
-        configure_windows_settings()
-    if configure_network_settings is True :
-        configure_network_settings()
-
-def rename_and_disable_user(old_name, new_name):
-    try:
-        run(f'wmic useraccount where name="{old_name}" rename {new_name}', check=True)
-        run(f'wmic useraccount where name="{new_name}" set disabled=true', check=True)
-    except subprocess.CalledProcessError:
-        pass
-
-
-def set_password_requirements():
-    run('net accounts /maxpwage:365')
-    run('net accounts /minpwage:1')
-    run('net accounts /minpwlen:14')
-    run('net accounts /forcelogoff:15')
-    run('net accounts /uniquepw:24')
-    run('net accounts /lockoutthreshold:5')
-    run('net accounts /lockoutduration:15')
-    run('net accounts /lockoutwindow:15')
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SAM', 'RelaxMinimumPasswordLengthLimits', 1)
-
-def configure_login_logout_features():
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'NoConnectedUser', 3)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableCAD', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DontDisplayLastUserName', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeText', LegalNoticeText)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'LegalNoticeCaption', LegalNoticeText)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'CachedLogonsCount', 4)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ScRemoveOption', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'InactivityTimeoutSecs', 900)
-
-def configure_lanman_service():
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters', 'RequireSecuritySignature', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'RequireSecuritySignature', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', 'EnableSecuritySignature', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'NullSessionPipes', '')
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters', 'SMBServerNameHardeningLevel', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'RestrictAnonymous', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'DisableDomainCreds', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'LmCompatibilityLevel', 5)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Lsa', 'UseMachineID', 1)
-
-    # Ensure the MSV1_0 key exists
-    msv_path = r'SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0'
-    if not reg.QueryValueEx(msv_path):
-        reg.CreateKey(reg.HKEY_LOCAL_MACHINE, msv_path)
-
-    registry_set(msv_path, 'NTLMMinClientSec', 537395200)
-    registry_set(msv_path, 'NTLMMinServerSec', 537395200)
-
-    # Ensure the Kerberos key exists
-    kerberos_path = r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
-    if not reg.QueryValueEx(kerberos_path):
-        reg.CreateKey(reg.HKEY_LOCAL_MACHINE, kerberos_path)
-
-    registry_set(HKEY_LOCAL_MACHINE,kerberos_path, 'SupportedEncryptionTypes', 2147483640)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Cryptography', 'ForceKeyProtection', 1)
-
-def configure_uac_prompt_behavior():
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'FilterAdministratorToken', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentAdminBehavior', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'ConsentPromptBehaviorUser', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'PromptOnSecureDesktop', 1)
-
-def configure_external_device_settings():
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AllocateDASD', 2)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers', 'AddPrinterDrivers', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'MaxDevicePasswordFailedAttempts', 10)
-
-def configure_windows_services():
-    services_to_disable = [
-        "BTAGService", "bthserv", "MapsBroker", "SharedAccess", "lltdsvc",
-        "LxssManager", "MSiSCSI", "PNRPsvc", "p2psvc", "p2pimsvc", "PNRPAutoReg",
-        "Spooler", "wercplsupport", "RasAuto", "SessionEnv", "UmRdpService",
-        "TermService", "RpcLocator", "LanmanServer", "upnphost", "SSDPSRV",
-        "WerSvc", "Wecsvc", "WMPNetworkSvc", "icssvc", "WpnService",
-        "PushToInstall", "WinRM", "XboxGipSvc", "XblAuthManager", "XblGameSave", "XboxNetApiSvc"
-    ]
-
-    for service in services_to_disable:
-        run(f'sc config {service} start= disabled')
-        run(f'net stop {service}')
-
-def configure_windows_event_logging_en():
-    auditpol_commands = [
-        'auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Plug and Play Events" /success:enable',
-        'auditpol /set /subcategory:"Process Creation" /success:enable',
-        'auditpol /set /subcategory:"Account Lockout" /failure:enable',
-        'auditpol /set /subcategory:"Group Membership" /success:enable',
-        'auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Detailed File Share" /failure:enable',
-        'auditpol /set /subcategory:"File Share" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Other Object Access Events" /success:enable',
-        'auditpol /set /subcategory:"Removable Storage" /success:enable',
-        'auditpol /set /subcategory:"Authorization Policy Change" /success:enable',
-        'auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Other Policy Change Events" /failure:enable',
-        'auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Security System Extension" /success:enable',
-    ]
-
-    for command in auditpol_commands:
-        run(command)
-
-def configure_windows_event_logging_fr():
-    auditpol_commands = [
-        'auditpol /set /subcategory:"Validation des informations d’identification" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Gestion des groupes d’applications" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Gestion des groupes de sécurité" /success:enable',
-        'auditpol /set /subcategory:"Gestion des comptes d’utilisateur" /success:enable',
-        'auditpol /set /subcategory:"Événements Plug-and-Play" /success:enable',
-        'auditpol /set /subcategory:"Création du processus" /success:enable',
-        'auditpol /set /subcategory:"Verrouillage du compte" /failure:enable',
-        'auditpol /set /subcategory:"Appartenance à un groupe" /success:enable',
-        'auditpol /set /subcategory:"Ouvrir la session" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Fermer la session" /success:enable',
-        'auditpol /set /subcategory:"Autres événements d’ouverture/fermeture de session" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Ouverture de session spéciale" /success:enable',
-        'auditpol /set /subcategory:"Partage de fichiers détaillé" /failure:enable',
-        'auditpol /set /subcategory:"Partage de fichiers" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Autres événements d’accès à l’objet" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Stockage amovible" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Modification de la stratégie d’audit" /success:enable',
-        'auditpol /set /subcategory:"Modification de la stratégie d’authentification" /success:enable',
-        'auditpol /set /subcategory:"Modification de la stratégie d’autorisation" /success:enable',
-        'auditpol /set /subcategory:"Modification de la stratégie de niveau règle MPSSVC" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Autres événements de modification de stratégie" /failure:enable',
-        'auditpol /set /subcategory:"Utilisation de privilèges sensibles" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Pilote IPSEC" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Autres événements système" /success:enable /failure:enable',
-        'auditpol /set /subcategory:"Modification de l’état de la sécurité" /success:enable',
-        'auditpol /set /subcategory:"Extension système de sécurité" /success:enable',
-        'auditpol /set /subcategory:"Intégrité du système" /success:enable /failure:enable',
-    ]
-
-    for command in auditpol_commands:
-        run(command)
-
-def configure_windows_settings():
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Personalization', 'NoLockScreenSlideshow', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\InputPersonalization', 'AllowInputPersonalization', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', 'DisableAutomaticRestartSignOn', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Policies\Microsoft\Windows\Explorer', 'NoAutoplayfornonVolume', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\USBSTOR', 'Start', 4)
-
-def configure_network_settings():
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\NetBT\Parameters', 'NodeType', 2)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'IPEnableRouter', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DisableIPSourceRouting', 2)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveTime', 300000)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'KeepAliveInterval', 30)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableDeadGWDetect', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'TcpMaxDataRetransmissions', 5)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'DontAddDefaultGatewayDefault', 1)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'PerformRouterDiscovery', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirect', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableICMPRedirects', 0)
-    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', 'EnableMulticastForwarding', 0)
-
+# -*- coding: utf-8 -*-
+from setuphelpers import *
+import winreg
+import win32net
+import win32security
+
+def install():
+
+
+    #CIS-15500 - Password History
+    run("net accounts /uniquepw:24")
+    #CIS-15501 - Maximum password Age
+    run("net accounts /MAXPWAGE:90")
+    #CIS-15502 - Minimum password Age
+    run("net accounts /minpwage:1")
+    #CIS-15503 - Minimum password Lenght
+    run("net accounts /MINPWLEN:14")
+    # # #CIS-15505 - Relax minimum password length limits
+    registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SAM", "RelaxMinimumPasswordLengthLimits","1")
+    #CIS-15506 - Account lockout duration
+    run("net accounts /lockoutduration:15")
+    #CIS-15507 - Account lockout Threshold
+    run("net accounts /lockoutthreshold:5")
+    #CIS-15508 - Reset lockout counter after
+    run("net accounts /lockoutwindow:15")
+
+
+    #CIS-15512 - Accounts: Limit local account use of blank passwords to console logon only'
+    registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse","1")
+    #CIS-15510 - 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.
+    registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "NoConnectedUser","3")
+    #CIS-15509 - Administrator account status disabled (fr)
+    locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
+    sid = win32security.GetBinarySid(locsid + "-500")
+    admin_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
+    # #CIS-15513 - Accounts: Rename Administrator Account' (fr)
+    if admin_local_user == "Administrateur" :
+        run("wmic useraccount where name='Administrateur' rename 'comi-adm'")
+        run(r'net user "comi-adm" /active:no')
+    else:
+        run(r'net user "comi-adm" /active:no')
+    #CIS-15511 - Guest account status disabled (fr)
+    locsid = str(win32net.NetUserModalsGet(get_computername(), 2)['domain_id']).split(':',1)[-1]
+    sid = win32security.GetBinarySid(locsid + "-501")
+    guest_local_user, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
+    run(r'net user "%s" /active:no' % guest_local_user)
+    #CIS-15514 - Accounts: Rename Guest Account' (fr)
+    if guest_local_user == "Invité" :
+        run("wmic useraccount where name='Invité' rename 'comiguest'")
+        run(r'net user "comiguest" /active:no')
+    else:
+        run(r'net user "comiguest" /active:no')
+
+    ####TEXTE LEGAL####
+
+    #CIS-15529 - 'Interactive logon: Message text for users attempting to log on'.
+    registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeText","Bienvenue sur un poste COMITARI, Toute personne non autorisé à se connecter à la machine sera poursuivi.",REG_SZ)
+    #CIS-15530 - 'Interactive logon: Message title for users attempting to log on'.
+    registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "LegalNoticeCaption","Bienvenue sur un poste COMITARI")
+
+    ####SERVICES####
+
+    #CIS - 	Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\BTAGService", "Start","4")
+    #CIS - 	Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\bthserv", "Start","4")
+    #CIS - 	Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\MapsBroker", "Start","4")
+    #CIS - 	Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\lfsvc", "Start","4")
+    #CIS - 	Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\IISADMIN", "Start","4")
+    #CIS - 	Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\irmon", "Start","4")
+    #CIS - 	Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess", "Start","4")
+    #CIS - 	Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\lltdsvc", "Start","4")
+    #CIS - 	Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LxssManager", "Start","4")
+    #CIS - Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\MSiSCSI", "Start","4")
+    #CIS - 	Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\FTPSVC", "Start","4")
+    #CIS - 	Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\sshd", "Start","4")
+    #CIS - 	Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PNRPsvc", "Start","4")
+    #CIS - Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2psvc", "Start","4")
+    #CIS - Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\p2pimsvc", "Start","4")
+    #CIS - Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PNRPAutoReg", "Start","4")
+    #CIS - Ensure 'Print Spooler (Spooler)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\Spooler", "Start","4")
+    #CIS - Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\wercplsupport", "Start","4")
+    #CIS - Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RasAuto", "Start","4")
+    #CIS - Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SessionEnv", "Start","4")
+    #CIS - Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\TermService", "Start","4")
+    #CIS - Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\UmRdpService", "Start","4")
+    #CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RpcLocator", "Start","4")
+    #CIS - Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RemoteRegistry", "Start","4")
+    #CIS - 	Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\RemoteAccess", "Start","4")
+    #CIS - 	Ensure 'Server (LanmanServer)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer", "Start","4")
+    #CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\simptcp", "Start","4")
+    #CIS - Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SNMP", "Start","4")
+    #CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\sacsvr", "Start","4")
+    #CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SSDPSRV", "Start","4")
+    #CIS - 	Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\upnphost", "Start","4")
+    #CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WMSvc", "Start","4")
+    #CIS - Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WerSvc", "Start","4")
+    #CIS - Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\Wecsvc", "Start","4")
+    #CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WMPNetworkSvc", "Start","4")
+    #CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\icssvc", "Start","4")
+    #CIS - 	Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WpnService", "Start","4")
+    #CIS - 	Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\PushToInstall", "Start","4")
+    #CIS - Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\WinRM", "Start","4")
+    #CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\W3SVC", "Start","4")
+    #CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxGipSvc", "Start","4")
+    #CIS - 	Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XblAuthManager", "Start","4")
+    #CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XblGameSave", "Start","4")
+    #CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4")
+
+    ####AUDITPOL####
+
+    run('auditpol /set /subcategory:"Validation des informations d’identification" /success:enable /failure:enable')
+    # # Ensure 'Audit Application Group Management' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Gestion des groupes d’applications" /success:enable /failure:enable')
+    # # Ensure 'Audit Security Group Management' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Gestion des groupes de sécurité" /success:enable')
+    # # Ensure 'Audit User Account Management' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Gestion des comptes d’utilisateur" /success:enable')
+    # # Ensure 'Plug and Play Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Événements Plug-and-Play" /success:enable')
+    # # Ensure 'Process Creation' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Création du processus" /success:enable')
+    # # Ensure 'Account Lockout' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Verrouillage du compte" /failure:enable')
+    # # Ensure 'Group Membership' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Appartenance à un groupe" /success:enable')
+    # # Ensure 'Logon' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Ouvrir la session" /success:enable /failure:enable')
+    # # Ensure 'Logoff' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Fermer la session" /success:enable')
+    # # Ensure 'Other Logon/Logoff Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Autres événements d’ouverture/fermeture de session" /success:enable /failure:enable')
+    # # Ensure 'Special Logon' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Ouverture de session spéciale" /success:enable')
+    # # Ensure 'Detailed File Share' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Partage de fichiers détaillé" /failure:enable')
+    # # Ensure 'File Share' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Partage de fichiers" /success:enable /failure:enable')
+    # # Ensure 'Other Object Access Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Autres événements d’accès à l’objet" /success:enable /failure:enable')
+    # # Ensure 'Removable Storage' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Stockage amovible" /success:enable /failure:enable')
+    # # Ensure 'Audit Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Modification de la stratégie d’audit" /success:enable')
+    # # Ensure 'Authentication Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Modification de la stratégie d’authentification" /success:enable')
+    # # Ensure 'Authorization Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Modification de la stratégie d’autorisation" /success:enable')
+    # # Ensure 'MPSSVC Rule-Level Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Modification de la stratégie de niveau règle MPSSVC" /success:enable /failure:enable')
+    # # Ensure 'Other Policy Change Events' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Autres événements de modification de stratégie" /failure:enable')
+    # # Ensure 'Sensitive Privilege Use' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Utilisation de privilèges sensibles" /success:enable /failure:enable')
+    # # Ensure 'IPsec Driver' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Pilote IPSEC" /success:enable /failure:enable')
+    # # Ensure 'Other System Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Autres événements système" /success:enable /failure:enable')
+    # # Ensure 'Security State Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Modification de l’état de la sécurité" /success:enable')
+    # # Ensure 'Security System Extension' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Extension système de sécurité" /success:enable')
+    # # Ensure 'System Integrity' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Intégrité du système" /success:enable /failure:enable')
+
+    #CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1")
+    #CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1")
+    #CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0")
+    #CIS - Ensure 'Allow Online Tips' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0")
+    #CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0")
+    #CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4")
+    #CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0")
+
+####FIREWALL####
+
+    # #CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.
+    run("netsh advfirewall set allprofiles state on")
+    #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
+    run('netsh advfirewall firewall add rule name="Block All Inbound Connections" dir=in action=block')
+    #CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile", "DisableNotifications","1")
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile", "DisableNotifications","1")
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile", "DisableNotifications","1")
+    #CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging", "LogFilePath",r"System32\logfiles\firewall\domainfw.log")
+    # #CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging", "LogFilePath",r"System32\logfiles\firewall\privatefw.log")
+    # #CIS - Ensure 'Windows Firewall: public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging", "LogFilePath",r"System32\logfiles\firewall\publicfw.log")
+    # #CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging", "LogFileSize","16384")
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging", "LogFileSize","16384")
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging", "LogFileSize","16384")
+    # #CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging", "LogDroppedPackets","1")
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging", "LogDroppedPackets","1")
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging", "LogDroppedPackets","1")
+    # #CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging", "LogSuccessfulConnections","1")
+    # #CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging", "LogSuccessfulConnections","1")
+    # #CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging", "LogSuccessfulConnections","1")
+    # #CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile", "AllowLocalIPsecPolicyMerge","0")
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile", "AllowLocalPolicyMerge","0")
+
+####Windows Terminal Services####
+
+    #Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "DisablePasswordSaving","1")
+    #Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDenyTSConnections","1")
+    #Ensure 'Allow UI Automation redirection' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "EnableUiaRedirection","0")
+    #Ensure 'Do not allow COM port redirection' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableCcm","1")
+    #Ensure 'Do not allow drive redirection' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableCdm","1")
+    #Ensure 'Do not allow location redirection' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableLocationRedir","1")
+    #Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisableLPT","1")
+    #Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fDisablePNPRedir","1")
+    #Ensure 'Always prompt for password upon connection' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fPromptForPassword","1")
+    #Ensure 'Require secure RPC communication' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "fEncryptRPCTraffic","1")
+    #Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "SecurityLayer","2")
+    #Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "UserAuthentication","1")
+    #Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "MinEncryptionLevel","3")
+    #Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "MaxIdleTime","800000")
+    #Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "MaxDisconnectionTime","60000")
+    #Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "DeleteTempDirsOnExit","1")
+
+####Windows Search####
+
+    #Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowCloudSearch","0")
+    #Ensure 'Allow Cortana' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowCortana","0")
+    #Ensure 'Allow Cortana above lock screen' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowCortanaAboveLock","0")
+    #Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowIndexingEncryptedStoresOrItems","0")
+    #Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", "AllowSearchToUseLocation","0")
+
+####Windows Store####
+
+    #Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "DisableStoreApps","1")
+    #Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "RequirePrivateStoreOnly","1")
+    #Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "AutoDownload","4")
+    #Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "DisableOSUpgrade","1")
+    #Ensure 'Turn off the Store application' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\WindowsStore", "RemoveWindowsStore","1")
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##################################################################
+    #CIS-15515 - Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "SCENoApplyLegacyAuditPolicy","1")
+    # #CIS-15516 - Audit: Shut down system immediately if unable to log security audits
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "CrashOnAuditFail","0")
+    # #CIS-15517 - Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "AllocateDASD","2")
+    # #CIS-15518 - 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers", "AddPrinterDrivers","1")
+    # #CIS-15519 - 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireSignOrSeal","1")
+    # #CIS-15520 - 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'.
+    # #CIS-15521 - 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "SealSecureChannel","1")
+    # #CIS-15522 - 'Domain member: Disable machine account password changes' is set to 'Disabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "DisablePasswordChange","0")
+    # #CIS-15523 - 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "MaximumPasswordAge","30")
+    # #CIS-15524 - 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\Netlogon\Parameters", "RequireStrongKey","1")
+    # #CIS-15525 - 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableCAD","0")
+    # #CIS-15526 - 'Interactive logon: Don't display last signed-in' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DontDisplayLastUserName","1")
+    # #CIS-15527 - 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "MaxDevicePasswordFailedAttempts","10")
+
+
+
+
+    # #CIS-15531 - 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4''.
+    # registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CachedLogonsCount","4")
+    # #CIS-15532 - 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "PasswordExpiryWarning","10")
+    # #CIS-15533 - 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "SCRemoveOption","2")
+    # #CIS-15534 - 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","2")
+    # #CIS-15535 - 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1")
+    # #CIS-15536 - 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnablePlainTextPassword","0")
+    # #CIS-15537 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "AutoDisconnect","15")
+    # #CIS-15538 - 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature","1")
+    # #CIS-15539 - 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature","1")
+    # #CIS-15540 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableForcedLogOff","1")
+    # #CIS-15541 - Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "SMBServerNameHardeningLevel","1")
+    # #CIS-15542 - Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.
+    # #run("")
+    # #CIS-15543 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymousSAM","1")
+    # #CIS-15544 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "RestrictAnonymous","1")
+    # #CIS-15545 - Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "DisableDomainCreds","1")
+    # #CIS-15546 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\Lsa", "EveryoneIncludesAnonymous","0")
+    # #CIS-15547 - Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'.
+    # #run("")
+    # #CIS-15548 - Ensure 'Network access: Remotely accessible registry paths' is configured.
+    # # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths", "Machine","System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion")
+    # #CIS-15549 - Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured.
+    # #run("")
+    # #CIS-15550 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Services\LanManServer\Parameters", "RestrictNullSessAccess","1")
+    #CIS-15551 -
+    #run("")
+    #CIS-15552 -
+    #run("")
+    # #CIS-15553 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "ForceGuest","0")
+    # #CIS - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "UseMachineId","1")
+    # #CIS - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "allownullsessionfallback","0")
+    # #CIS - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\pku2u", "AllowOnlineID","0")
+    # #CIS - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "NoLMHash","1")
+    # #CIS - Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanManServer\Parameters", "EnableForcedLogOff","1")
+    # #CIS - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel","5")
+    # #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinClientSec","537395200")
+    # #CIS - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Lsa\MSV1_0", "NTLMMinServerSec","537395200")
+    # #CIS - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager\Kernel", "ObCaseInsensitive","1")
+    # #CIS - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.
+    # # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","1")
+    # registry_set(HKEY_LOCAL_MACHINE, r"System\CurrentControlSet\Control\Session Manager", "ProtectionMode","0")
+    # #CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken","1")
+    # #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation
+    # # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","0")
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorUser","1")
+    # #CIS - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableInstallerDetection","1")
+    # #CIS - 	Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableSecureUIAPaths","0")
+    # #CIS - 	Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA","0")
+    # #CIS - 	Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop","1")
+    # #CIS - 	Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.
+    # registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "EnableVirtualization","1")
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+