In the current era of building devices, which includes servers and workstations, you should be compliant to the CIS benchmarks to make sure they are as secure as they can be at the time they’re built.
Build secure devices from day one!
It is important to get the basics right at the build process it’s more efficient to build servers secure from day as trying to retrofit these policies onto older legacy servers Can be consider considerably harder task based on your troubleshooting abilities.
Segregate group policy objects
I would also recommend layering your policies with meaningful names and avoid using one big policy to have all the settings, if you are aiming for L2 compliance that consists of around 800 settings.
I have personally seen what happens when you try and combine CIS L2 policies with your existing policy for certain organizational units - you end up having to logically go through up to the 800 policies mentioned earlier, plus all of your other applied settings - you can end up completely confusing yourself and making the problem worse if you take this approach - I have seen this exact thing happen firsthand.
Advice : CIS enforcement with Group policy
I would highly recommend that you split up all your group policy objects to enforce these settings into lots of individual settings that gradually control certain sections so if you do run into a problem, you don’t have to diagnose every setting at the same time, I have actually used a color coding system with a valid description to keep track of this as below:
Infra-AuditSettings-Green
Infra-CIS-AuditSettings-Green
Infra-CIS-CoreSettings-Amber
Infra-CIS-CoreSettings-Green
Infra-CIS-MemberServer-Core-L2
Infra-CIS-MemberServer-Exchange-L2
Infra-CIS-MemberServer-SQL-L2
Infra-CIS-MemberServer-User-L2
Infra-CoreSettings-Amber
Infra-CoreSettings-Exchange-Green
Infra-CoreSettings-Green
Infra-MemberServer-Core-L2
Infra-MemberServer-User-L2
CIS Levels
CIS L1 is a very basic policy that should not interfere or impact user services or applications whatsoever unless you’re following very old security practices
CIS L2 is a more stringent set of security policies that will probably break certain applications and services which will then rely on your application of your group policy objects to diagnose where the problem is.
CIS L1 or CIS L2?
The CIS L2 is a set of security guidelines developed by the Center for Internet Security (CIS) that provides advanced security configurations for IT systems. It is designed for organizations that require a higher level of security due to regulatory requirements, sensitive data handling, or increased threat exposure.
Can I just go straight to CIS L2?
Yes if you are looking to use CIS L2, there is no need to separately address CIS L1 controls because L2 builds upon them. Every L2 recommendation inherently assumes that L1 controls are already in place, adding further layers of security to mitigate more sophisticated attacks.
For example, if L1 requires basic password policies, L2 may enforce stricter password complexity, multi-factor authentication, and session timeout policies. By implementing L2, you automatically cover the foundational security measures of L1 while reinforcing your systems against advanced threats.
Overview Scanner
When you run the quick assessment script you will get a Phase 1 score and a Phase 2 score as you can see below:
This means we have a low compliance for both Phase 1 and Phase 2 of this servers, this a quick run to assess the overall CIS baseline percentages, for a more accurate comparison you should be using the CIS Toolkit for offical run these assessments.
Script : CISL2Scanner.ps1
# Complete CIS Level 2 Windows Compliance Audit Script
[CmdletBinding()]
param(
[Parameter()]
[string]$OutputPath = ".\CIS_L2_Complete_Audit_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"
)
$results = @()
$global:totalChecks = 0
$global:passedChecks = 0
function Test-RegistryValue {
param(
[string]$Path,
[string]$Name,
[string]$ExpectedValue,
[string]$Category
)
$global:totalChecks++
try {
$actualValue = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop
$compliant = $actualValue.$Name -eq $ExpectedValue
if ($compliant) { $global:passedChecks++ }
$results += [PSCustomObject]@{
Category = $Category
CheckType = "Registry"
Location = $Path
ItemName = $Name
Expected = $ExpectedValue
Actual = $actualValue.$Name
Compliant = $compliant
}
}
catch {
$results += [PSCustomObject]@{
Category = $Category
CheckType = "Registry"
Location = $Path
ItemName = $Name
Expected = $ExpectedValue
Actual = "Not Found"
Compliant = $false
}
}
}
function Test-SecurityPolicy {
param(
[string]$PolicyName,
[string]$ExpectedValue,
[string]$Category
)
$global:totalChecks++
try {
secedit /export /cfg "$env:TEMP\secpol.cfg" | Out-Null
$content = Get-Content "$env:TEMP\secpol.cfg"
$pattern = "$PolicyName = (.*)"
$match = $content | Select-String -Pattern $pattern
if ($match) {
$actualValue = $match.Matches.Groups[1].Value.Trim()
$compliant = $actualValue -eq $ExpectedValue
if ($compliant) { $global:passedChecks++ }
}
else {
$actualValue = "Not Found"
$compliant = $false
}
$results += [PSCustomObject]@{
Category = $Category
CheckType = "SecurityPolicy"
Location = "Security Policy"
ItemName = $PolicyName
Expected = $ExpectedValue
Actual = $actualValue
Compliant = $compliant
}
}
catch {
$results += [PSCustomObject]@{
Category = $Category
CheckType = "SecurityPolicy"
Location = "Security Policy"
ItemName = $PolicyName
Expected = $ExpectedValue
Actual = "Error"
Compliant = $false
}
}
finally {
Remove-Item "$env:TEMP\secpol.cfg" -ErrorAction SilentlyContinue
}
}
function Test-AuditPolicy {
param(
[string]$Subcategory,
[string]$ExpectedValue,
[string]$Category
)
$global:totalChecks++
try {
$auditpol = auditpol /get /subcategory:"$Subcategory" /r | ConvertFrom-Csv
$actualValue = $auditpol.'Inclusion Setting'
$compliant = $actualValue -eq $ExpectedValue
if ($compliant) { $global:passedChecks++ }
$results += [PSCustomObject]@{
Category = $Category
CheckType = "AuditPolicy"
Location = "Audit Policy"
ItemName = $Subcategory
Expected = $ExpectedValue
Actual = $actualValue
Compliant = $compliant
}
}
catch {
$results += [PSCustomObject]@{
Category = $Category
CheckType = "AuditPolicy"
Location = "Audit Policy"
ItemName = $Subcategory
Expected = $ExpectedValue
Actual = "Error"
Compliant = $false
}
}
}
function Test-UserRights {
param(
[string]$UserRight,
[string]$ExpectedValue,
[string]$Category
)
$global:totalChecks++
try {
$sid = (New-Object System.Security.Principal.NTAccount($ExpectedValue)).Translate([System.Security.Principal.SecurityIdentifier]).Value
$secpol = secedit /export /cfg "$env:TEMP\secpol.cfg" | Out-Null
$content = Get-Content "$env:TEMP\secpol.cfg"
$pattern = "$UserRight = (.*)"
$match = $content | Select-String -Pattern $pattern
if ($match) {
$actualValue = $match.Matches.Groups[1].Value.Trim()
$compliant = $actualValue -contains $sid
if ($compliant) { $global:passedChecks++ }
}
else {
$actualValue = "Not Found"
$compliant = $false
}
$results += [PSCustomObject]@{
Category = $Category
CheckType = "UserRights"
Location = "User Rights Assignment"
ItemName = $UserRight
Expected = $ExpectedValue
Actual = $actualValue
Compliant = $compliant
}
}
catch {
$results += [PSCustomObject]@{
Category = $Category
CheckType = "UserRights"
Location = "User Rights Assignment"
ItemName = $UserRight
Expected = $ExpectedValue
Actual = "Error"
Compliant = $false
}
}
finally {
Remove-Item "$env:TEMP\secpol.cfg" -ErrorAction SilentlyContinue
}
}
function Test-ServiceSettings {
param(
[string]$ServiceName,
[string]$ExpectedStartType,
[string]$Category
)
$global:totalChecks++
try {
$service = Get-Service -Name $ServiceName -ErrorAction Stop
$startType = (Get-WmiObject -Class Win32_Service -Filter "Name='$ServiceName'").StartMode
$compliant = $startType -eq $ExpectedStartType
if ($compliant) { $global:passedChecks++ }
$results += [PSCustomObject]@{
Category = $Category
CheckType = "Service"
Location = "System Services"
ItemName = $ServiceName
Expected = $ExpectedStartType
Actual = $startType
Compliant = $compliant
}
}
catch {
$results += [PSCustomObject]@{
Category = $Category
CheckType = "Service"
Location = "System Services"
ItemName = $ServiceName
Expected = $ExpectedStartType
Actual = "Not Found"
Compliant = $false
}
}
}
# 1. Account Policies
# Password Policy
Test-SecurityPolicy -PolicyName "PasswordHistorySize" -ExpectedValue "24" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "MaximumPasswordAge" -ExpectedValue "60" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "MinimumPasswordAge" -ExpectedValue "1" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "MinimumPasswordLength" -ExpectedValue "14" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "PasswordComplexity" -ExpectedValue "1" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "ClearTextPassword" -ExpectedValue "0" -Category "Account Policies"
# Account Lockout Policy
Test-SecurityPolicy -PolicyName "LockoutBadCount" -ExpectedValue "3" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "ResetLockoutCount" -ExpectedValue "15" -Category "Account Policies"
Test-SecurityPolicy -PolicyName "LockoutDuration" -ExpectedValue "15" -Category "Account Policies"
# 2. Security Options
# Network Security
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "NoLMHash" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -ExpectedValue "5" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymous" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymousSAM" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "EveryoneIncludesAnonymous" -ExpectedValue "0" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "ForceGuest" -ExpectedValue "0" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "UseMachineId" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMMinClientSec" -ExpectedValue "537395200" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMMinServerSec" -ExpectedValue "537395200" -Category "Security Options"
# Interactive Logon
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableCAD" -ExpectedValue "0" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DontDisplayLastUserName" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "InactivityTimeoutSecs" -ExpectedValue "900" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LegalNoticeText" -ExpectedValue "" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LegalNoticeCaption" -ExpectedValue "" -Category "Security Options"
# 3. User Rights Assignment
Test-UserRights -UserRight "SeNetworkLogonRight" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeBackupPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeSystemtimePrivilege" -ExpectedValue "Administrators,LOCAL SERVICE" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeCreatePagefilePrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeCreateTokenPrivilege" -ExpectedValue "" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeCreateGlobalPrivilege" -ExpectedValue "Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeCreatePermanentPrivilege" -ExpectedValue "" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeCreateSymbolicLinkPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeDebugPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeDenyNetworkLogonRight" -ExpectedValue "Guests" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeDenyBatchLogonRight" -ExpectedValue "Guests" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeDenyServiceLogonRight" -ExpectedValue "Guests" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeDenyInteractiveLogonRight" -ExpectedValue "Guests" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeEnableDelegationPrivilege" -ExpectedValue "" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeRemoteShutdownPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeAuditPrivilege" -ExpectedValue "LOCAL SERVICE,NETWORK SERVICE" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeImpersonatePrivilege" -ExpectedValue "Administrators,LOCAL SERVICE,NETWORK SERVICE,SERVICE" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeIncreaseBasePriorityPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeLoadDriverPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeLockMemoryPrivilege" -ExpectedValue "" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeBatchLogonRight" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeServiceLogonRight" -ExpectedValue "NT SERVICE\ALL SERVICES" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeSecurityPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeRelabelPrivilege" -ExpectedValue "" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeSystemEnvironmentPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeManageVolumePrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeProfileSingleProcessPrivilege" -ExpectedValue "Administrators" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeSystemProfilePrivilege" -ExpectedValue "Administrators,NT SERVICE\WdiServiceHost" -Category "User Rights Assignment"
Test-UserRights -UserRight "SeAssignPrimaryTokenPrivilege" -ExpectedValue "LOCAL SERVICE,NETWORK SERVICE" -Category "User Rights Assignment"
# 4. Security Audit Policy
Test-AuditPolicy -Subcategory "Security System Extension" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "System Integrity" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "IPsec Driver" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other System Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Security State Change" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Application Generated" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "File System" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Registry" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "SAM" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Certification Services" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Application Group Management" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Distribution Group Management" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other Account Management Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Security Group Management" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "User Account Management" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "DPAPI Activity" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Process Creation" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Process Termination" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Account Lockout" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Group Membership" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Logoff" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Logon" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other Logon/Logoff Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Special Logon" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Detailed File Share" -ExpectedValue "Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "File Share" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other Object Access Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Removable Storage" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Audit Policy Change" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Authentication Policy Change" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Authorization Policy Change" -ExpectedValue "Success" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "MPSSVC Rule-Level Policy Change" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other Policy Change Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Sensitive Privilege Use" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other Privilege Use Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "IPsec Extended Mode" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "IPsec Main Mode" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "IPsec Quick Mode" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Other System Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "RPC Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
Test-AuditPolicy -Subcategory "Token Right Adjusted Events" -ExpectedValue "Success and Failure" -Category "Audit Policy"
# 5. Windows Services
Test-ServiceSettings -ServiceName "BTAGService" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "bthserv" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "Browser" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "MapsBroker" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "lfsvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "IISADMIN" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "irmon" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "SharedAccess" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "lltdsvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "LxssManager" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "FTPSVC" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "MSiSCSI" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "sshd" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "PNRPsvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "p2psvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "p2pimsvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "PNRPAutoReg" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "Spooler" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "wercplsupport" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "RasAuto" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "SessionEnv" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "TermService" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "UmRdpService" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "RpcLocator" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "RemoteRegistry" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "RemoteAccess" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "LanmanServer" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "simptcp" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "SNMP" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "SSDPSRV" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "upnphost" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "WMSvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "WerSvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "Wecsvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "WMPNetworkSvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "icssvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "WpnService" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "PushToInstall" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "WinRM" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "W3SVC" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "XboxGipSvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "XblAuthManager" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "XblGameSave" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "XboxNetApiSvc" -ExpectedStartType "Disabled" -Category "Services"
# 6. Registry Policy Settings
# Windows Components
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoAutorun" -ExpectedValue "1" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -ExpectedValue "255" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AllocateCDRoms" -ExpectedValue "1" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AllocateFloppies" -ExpectedValue "1" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon" -ExpectedValue "0" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "ClearPageFileAtShutdown" -ExpectedValue "1" -Category "Windows Components"
# Administrative Templates
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "DisablePasswordChange" -ExpectedValue "0" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "MaximumPasswordAge" -ExpectedValue "30" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "RequireStrongKey" -ExpectedValue "1" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SealSecureChannel" -ExpectedValue "1" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SignSecureChannel" -ExpectedValue "1" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "RequireSecuritySignature" -ExpectedValue "1" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "EnableSecuritySignature" -ExpectedValue "1" -Category "Administrative Templates"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "EnablePlainTextPassword" -ExpectedValue "0" -Category "Administrative Templates"
# Network Settings
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "DisableIPSourceRouting" -ExpectedValue "2" -Category "Network Settings"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "EnableICMPRedirect" -ExpectedValue "0" -Category "Network Settings"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "PerformRouterDiscovery" -ExpectedValue "0" -Category "Network Settings"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "TCPMaxDataRetransmissions" -ExpectedValue "3" -Category "Network Settings"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" -Name "NoNameReleaseOnDemand" -ExpectedValue "1" -Category "Network Settings"
# Windows Defender
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -ExpectedValue "0" -Category "Windows Defender"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -ExpectedValue "0" -Category "Windows Defender"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -ExpectedValue "0" -Category "Windows Defender"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -ExpectedValue "0" -Category "Windows Defender"
# Credential Guard
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" -Name "LsaCfgFlags" -ExpectedValue "1" -Category "Credential Guard"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ExpectedValue "1" -Category "Credential Guard"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -ExpectedValue "1" -Category "Credential Guard"
# BitLocker
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseAdvancedStartup" -ExpectedValue "1" -Category "BitLocker"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseTPMPIN" -ExpectedValue "1" -Category "BitLocker"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseTPM" -ExpectedValue "1" -Category "BitLocker"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseTPMKeyPIN" -ExpectedValue "1" -Category "BitLocker"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "MinimumPIN" -ExpectedValue "6" -Category "BitLocker"
# PowerShell
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -ExpectedValue "1" -Category "PowerShell"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ExpectedValue "1" -Category "PowerShell"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -ExpectedValue "1" -Category "PowerShell"
# Remote Desktop
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fAllowToGetHelp" -ExpectedValue "0" -Category "Remote Desktop"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fAllowUnsolicited" -ExpectedValue "0" -Category "Remote Desktop"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDenyTSConnections" -ExpectedValue "1" -Category "Remote Desktop"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "SecurityLayer" -ExpectedValue "2" -Category "Remote Desktop"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "UserAuthentication" -ExpectedValue "1" -Category "Remote Desktop"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "MinEncryptionLevel" -ExpectedValue "3" -Category "Remote Desktop"
# Windows Firewall
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name "DefaultInboundAction" -ExpectedValue "1" -Category "Windows Firewall"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name "DefaultOutboundAction" -ExpectedValue "0" -Category "Windows Firewall"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name "DisableNotifications" -ExpectedValue "0" -Category "Windows Firewall"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name "DefaultInboundAction" -ExpectedValue "1" -Category "Windows Firewall"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name "DefaultOutboundAction" -ExpectedValue "0" -Category "Windows Firewall"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name "DefaultInboundAction" -ExpectedValue "1" -Category "Windows Firewall"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name "DefaultOutboundAction" -ExpectedValue "0" -Category "Windows Firewall"
# Advanced Audit Policies
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "SCENoApplyLegacyAuditPolicy" -ExpectedValue "1" -Category "Audit Policies"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "CrashOnAuditFail" -ExpectedValue "1" -Category "Audit Policies"
# Internet Explorer
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -ExpectedValue "1" -Category "Internet Explorer"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" -Name "DisableSecuritySettingsCheck" -ExpectedValue "0" -Category "Internet Explorer"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "SecureProtocols" -ExpectedValue "2688" -Category "Internet Explorer"
# Windows Update
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -ExpectedValue "0" -Category "Windows Update"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallDay" -ExpectedValue "0" -Category "Windows Update"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers" -ExpectedValue "0" -Category "Windows Update"
# Event Log Sizes
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" -Name "MaxSize" -ExpectedValue "32768" -Category "Event Log"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" -Name "MaxSize" -ExpectedValue "196608" -Category "Event Log"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" -Name "MaxSize" -ExpectedValue "32768" -Category "Event Log"
# Local Group Policy
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -ExpectedValue "1" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -ExpectedValue "2" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorUser" -ExpectedValue "0" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "FilterAdministratorToken" -ExpectedValue "1" -Category "UAC"
# System Cryptography
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography" -Name "ForceKeyProtection" -ExpectedValue "2" -Category "Cryptography"
# Calculate final compliance percentage
$compliancePercentage = [math]::Round(($global:passedChecks / $global:totalChecks) * 100, 2)
# Export results
$results | Export-Csv -Path $OutputPath -NoTypeInformation
# Display final summary
Write-Host "`nCIS Level 2 Phase 1 Audit Complete" -ForegroundColor Green
Write-Host "=================================" -ForegroundColor Green
Write-Host "Total Checks Performed: $($global:totalChecks)"
Write-Host "Checks Passed: $($global:passedChecks)"
Write-Host "Checks Failed: $($global:totalChecks - $global:passedChecks)"
Write-Host "Overall Compliance: $compliancePercentage%"
#Write-Host "`nDetailed results have been exported to: $OutputPath"
# Additional Administrative Templates - MS Office Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security" -Name "AutomationSecurityPublisher" -ExpectedValue "1" -Category "MS Office"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security" -Name "VBAWarnings" -ExpectedValue "4" -Category "MS Office"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security" -Name "DisableAllActiveX" -ExpectedValue "1" -Category "MS Office"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security" -Name "MacroRuntimeScanScope" -ExpectedValue "2" -Category "MS Office"
# Additional Windows Store Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" -Name "DisableStoreApps" -ExpectedValue "1" -Category "Windows Store"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" -Name "AutoDownload" -ExpectedValue "4" -Category "Windows Store"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" -Name "RemoveWindowsStore" -ExpectedValue "1" -Category "Windows Store"
# Additional Network Provider Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\NETLOGON" -ExpectedValue "RequireMutualAuthentication=1, RequireIntegrity=1" -Category "Network Provider"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\SYSVOL" -ExpectedValue "RequireMutualAuthentication=1, RequireIntegrity=1" -Category "Network Provider"
# Additional App Privacy Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsAccessCamera" -ExpectedValue "2" -Category "App Privacy"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsAccessMicrophone" -ExpectedValue "2" -Category "App Privacy"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsAccessNotifications" -ExpectedValue "2" -Category "App Privacy"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsAccessAccountInfo" -ExpectedValue "2" -Category "App Privacy"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsAccessContacts" -ExpectedValue "2" -Category "App Privacy"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" -Name "LetAppsAccessCalendar" -ExpectedValue "2" -Category "App Privacy"
# Additional Password Policies
Test-SecurityPolicy -PolicyName "PasswordExpiryWARNING" -ExpectedValue "14" -Category "Password Policy"
Test-SecurityPolicy -PolicyName "PasswordComplexity" -ExpectedValue "1" -Category "Password Policy"
Test-SecurityPolicy -PolicyName "ClearTextPassword" -ExpectedValue "0" -Category "Password Policy"
# Additional Security Options
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "NoLMHash" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LimitBlankPasswordUse" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "AuditBaseObjects" -ExpectedValue "0" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "FullPrivilegeAuditing" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "SCENoApplyLegacyAuditPolicy" -ExpectedValue "1" -Category "Security Options"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -ExpectedValue "1" -Category "Security Options"
# Additional Network Security Settings
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "DisableIPSourceRouting" -ExpectedValue "2" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "TcpMaxDataRetransmissions" -ExpectedValue "3" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LDAP" -Name "LDAPClientIntegrity" -ExpectedValue "1" -Category "Network Security"
# Additional Windows Defender Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SpynetReporting" -ExpectedValue "2" -Category "Windows Defender"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SubmitSamplesConsent" -ExpectedValue "1" -Category "Windows Defender"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableIOAVProtection" -ExpectedValue "0" -Category "Windows Defender"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name "DisableHeuristics" -ExpectedValue "0" -Category "Windows Defender"
# Additional User Account Control Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableVirtualization" -ExpectedValue "1" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableSecureUIAPaths" -ExpectedValue "1" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableInstallerDetection" -ExpectedValue "1" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ValidateAdminCodeSignatures" -ExpectedValue "0" -Category "UAC"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableUIADesktopToggle" -ExpectedValue "0" -Category "UAC"
# OneDrive Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -ExpectedValue "1" -Category "OneDrive"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableLibrariesDefaultSaveToOneDrive" -ExpectedValue "1" -Category "OneDrive"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableMeteredNetworkFileSync" -ExpectedValue "1" -Category "OneDrive"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "PreventNetworkTrafficPreUserSignIn" -ExpectedValue "1" -Category "OneDrive"
# Cloud Content Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content" -Name "DisableWindowsConsumerFeatures" -ExpectedValue "1" -Category "Cloud Content"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content" -Name "DisableSoftLanding" -ExpectedValue "1" -Category "Cloud Content"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content" -Name "DisableCloudOptimizedContent" -ExpectedValue "1" -Category "Cloud Content"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content" -Name "DisableConsumerAccountStateContent" -ExpectedValue "1" -Category "Cloud Content"
# Game DVR and Xbox Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -ExpectedValue "0" -Category "Game DVR"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\xbgm" -Name "Start" -ExpectedValue "4" -Category "Game DVR"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\XboxSave" -Name "Enabled" -ExpectedValue "0" -Category "Xbox"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\XboxLive" -Name "AllowXboxLive" -ExpectedValue "0" -Category "Xbox"
# Location Services
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" -Name "DisableLocation" -ExpectedValue "1" -Category "Location Services"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" -Name "DisableWindowsLocationProvider" -ExpectedValue "1" -Category "Location Services"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" -Name "DisableLocationScripting" -ExpectedValue "1" -Category "Location Services"
# Push Notifications
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "NoCloudApplicationNotification" -ExpectedValue "1" -Category "Push Notifications"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "DisableNotificationMirroring" -ExpectedValue "1" -Category "Push Notifications"
# Network Stack Settings
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "EnableICMPRedirect" -ExpectedValue "0" -Category "Network Stack"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "KeepAliveTime" -ExpectedValue "300000" -Category "Network Stack"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "TcpMaxDupAcks" -ExpectedValue "2" -Category "Network Stack"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "SynAttackProtect" -ExpectedValue "1" -Category "Network Stack"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "EnableDeadGWDetect" -ExpectedValue "0" -Category "Network Stack"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "EnablePMTUDiscovery" -ExpectedValue "0" -Category "Network Stack"
# Additional Service Settings
Test-ServiceSettings -ServiceName "PeerDistSvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "dmwappushservice" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "MapsBroker" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "lfsvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "SharedAccess" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "wisvc" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "RetailDemo" -ExpectedStartType "Disabled" -Category "Services"
Test-ServiceSettings -ServiceName "WalletService" -ExpectedStartType "Disabled" -Category "Services"
# Windows Search Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCloudSearch" -ExpectedValue "0" -Category "Windows Search"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCortana" -ExpectedValue "0" -Category "Windows Search"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowSearchToUseLocation" -ExpectedValue "0" -Category "Windows Search"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "ConnectedSearchUseWeb" -ExpectedValue "0" -Category "Windows Search"
# Delivery Optimization
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" -Name "DODownloadMode" -ExpectedValue "0" -Category "Delivery Optimization"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" -Name "DOAllowVPNPeerCaching" -ExpectedValue "0" -Category "Delivery Optimization"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" -Name "DOAllowInternetPeerCaching" -ExpectedValue "0" -Category "Delivery Optimization"
# Windows Error Reporting
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" -Name "Disabled" -ExpectedValue "1" -Category "Error Reporting"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" -Name "AutoApproveOSDumps" -ExpectedValue "0" -Category "Error Reporting"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" -Name "DontSendAdditionalData" -ExpectedValue "1" -Category "Error Reporting"
# App Runtime Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableAutomaticRestartSignOn" -ExpectedValue "1" -Category "App Runtime"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableLockScreenAppNotifications" -ExpectedValue "1" -Category "App Runtime"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableStartupSound" -ExpectedValue "1" -Category "App Runtime"
# Windows Hello for Business
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork" -Name "Enabled" -ExpectedValue "0" -Category "Windows Hello"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork" -Name "DisablePostLogonProvisioning" -ExpectedValue "1" -Category "Windows Hello"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork" -Name "RequireSecurityDevice" -ExpectedValue "1" -Category "Windows Hello"
# Administrative Templates - Advanced Audit Policy
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" -Name "MaxSize" -ExpectedValue "32768" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" -Name "MaxSize" -ExpectedValue "196608" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" -Name "MaxSize" -ExpectedValue "32768" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" -Name "RetentionDays" -ExpectedValue "0" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" -Name "RetentionDays" -ExpectedValue "0" -Category "Admin Templates"
# Administrative Templates - SmartScreen
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -ExpectedValue "1" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "ShellSmartScreenLevel" -ExpectedValue "Block" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" -Name "ConfigureAppInstallControlEnabled" -ExpectedValue "1" -Category "Admin Templates"
# Administrative Templates - Windows Installer
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "EnableUserControl" -ExpectedValue "0" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ExpectedValue "0" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "SafeForScripting" -ExpectedValue "0" -Category "Admin Templates"
# Administrative Templates - Network Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -ExpectedValue "0" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "DisableSmartNameResolution" -ExpectedValue "1" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\NETLOGON" -ExpectedValue "RequireMutualAuthentication=1, RequireIntegrity=1" -Category "Admin Templates"
# Administrative Templates - Personalization
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreenCamera" -ExpectedValue "1" -Category "Admin Templates"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreenSlideshow" -ExpectedValue "1" -Category "Admin Templates"
# Windows Features - PDF and XPS Services
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\XPS" -Name "DisableXPSServices" -ExpectedValue "1" -Category "Windows Features"
Test-ServiceSettings -ServiceName "XPSServices" -ExpectedStartType "Disabled" -Category "Windows Features"
# Windows Features - RPC Settings
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" -Name "EnableAuthEpResolution" -ExpectedValue "1" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" -Name "RestrictRemoteClients" -ExpectedValue "1" -Category "Windows Features"
# Windows Features - Remote Desktop Services
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fAllowToGetHelp" -ExpectedValue "0" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fEncryptRPCTraffic" -ExpectedValue "1" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "MinEncryptionLevel" -ExpectedValue "3" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "SecurityLayer" -ExpectedValue "2" -Category "Windows Features"
# Windows Features - Work Folders
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkFolders" -Name "AllowWorkFolders" -ExpectedValue "0" -Category "Windows Features"
# Windows Features - Windows Update
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DeferFeatureUpdates" -ExpectedValue "1" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DeferFeatureUpdatesPeriodInDays" -ExpectedValue "180" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DeferQualityUpdates" -ExpectedValue "1" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DeferQualityUpdatesPeriodInDays" -ExpectedValue "14" -Category "Windows Features"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -ExpectedValue "0" -Category "Windows Features"
# Security Protocol Settings
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -ExpectedValue "0" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -ExpectedValue "1" -Category "Security Protocols"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -ExpectedValue "1" -Category "Security Protocols"
# Additional Network Security
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" -Name "NodeType" -ExpectedValue "2" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" -Name "SMBDeviceEnabled" -ExpectedValue "0" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -ExpectedValue "0" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name "DisableParallelAandAAAA" -ExpectedValue "1" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB1" -ExpectedValue "0" -Category "Network Security"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" -Name "Start" -ExpectedValue "4" -Category "Network Security"
# Windows Component Restrictions
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoWebServices" -ExpectedValue "1" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoAutorun" -ExpectedValue "1" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "PreXPSP2ShellProtocolBehavior" -ExpectedValue "0" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -Name "NoDataExecutionPrevention" -ExpectedValue "0" -Category "Windows Components"
Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer" -Name "NoHeapTerminationOnCorruption" -ExpectedValue "0" -Category "Windows Components"
# Authentication Policies
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -ExpectedValue "5" -Category "Authentication"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "NTLMMinClientSec" -ExpectedValue "537395200" -Category "Authentication"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "NTLMMinServerSec" -ExpectedValue "537395200" -Category "Authentication"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "allownullsessionfallback" -ExpectedValue "0" -Category "Authentication"
Test-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u" -Name "AllowOnlineID" -ExpectedValue "0" -Category "Authentication"
# Generate Category Summary
$categorySummary = $results | Group-Object -Property Category | ForEach-Object {
[PSCustomObject]@{
Category = $_.Name
TotalChecks = $_.Count
PassedChecks = ($_.Group | Where-Object { $_.Compliant -eq $true }).Count
CompliancePercentage = [math]::Round((($_.Group | Where-Object { $_.Compliant -eq $true }).Count / $_.Count) * 100, 2)
}
}
# Generate detailed report
$detailedSummary = [PSCustomObject]@{
TotalChecks = $global:totalChecks
PassedChecks = $global:passedChecks
FailedChecks = $global:totalChecks - $global:passedChecks
OverallCompliance = [math]::Round(($global:passedChecks / $global:totalChecks) * 100, 2)
ScanDateTime = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
ComputerName = $env:COMPUTERNAME
OSVersion = (Get-WmiObject Win32_OperatingSystem).Caption
Categories = $categorySummary
}
# Export results and summaries
#$results | Export-Csv -Path $OutputPath -NoTypeInformation
#$categorySummary | Export-Csv -Path ($OutputPath -replace '.csv', '_CategorySummary.csv') -NoTypeInformation
# Display final summary
Write-Host "`nCIS Level 2 Compliance Audit Summary" -ForegroundColor Green
Write-Host "=================================" -ForegroundColor Green
Write-Host "Scan Date: $($detailedSummary.ScanDateTime)"
Write-Host "Computer: $($detailedSummary.ComputerName)"
Write-Host "OS Version: $($detailedSummary.OSVersion)"
Write-Host "`nOverall Results:"
Write-Host "Total Checks Performed: $($detailedSummary.TotalChecks)"
Write-Host "Passed Checks: $($detailedSummary.PassedChecks)"
Write-Host "Failed Checks: $($detailedSummary.FailedChecks)"
Write-Host "Overall Compliance: $($detailedSummary.OverallCompliance)%"
#Write-Host "`nCompliance by Category:"
#foreach ($category in $detailedSummary.Categories) {
# Write-Host ("{0}: {1}% ({2}/{3} checks passed)" -f $category.Category,
# $category.CompliancePercentage, $category.PassedChecks, $category.TotalChecks)
#}
#Write-Host "`nDetailed results exported to:"
#Write-Host "- Full results: $OutputPath"
#Write-Host "- Category summary: $($OutputPath -replace '.csv', '_CategorySummary.csv')"
# Store the initial results before running additional checks
$phase1_results = @{
TotalChecks = $global:totalChecks
PassedChecks = $global:passedChecks
FailedChecks = ($global:totalChecks - $global:passedChecks)
CompliancePercentage = [math]::Round(($global:passedChecks / $global:totalChecks) * 100, 2)
}