security_policy_command_check

####2.1 Remove unnecessary user accounts in administrator group, manual confirm

#show all users in administrators group 

salt -N 'OS-Windows' cmd.run 'net localgroup administrators'

#delete
salt -N 'OS-Windows' cmd.run 'net localgroup administrators user1 /delete'"'



#2.2 Disable Guest Account
#no
salt -N 'OS-Windows' cmd.run 'net user guest | find "active"'


####2.3 Delete unnecessary account management
salt -N 'OS-Windows' cmd.run 'net user'

#show all users , then decide which account should be delete
salt -N 'OS-Windows' cmd.run 'net user [users] /delete'



####2.9 Change Admin account name
#yes
salt -N 'OS-Windows' cmd.run 'net user Starbucks | find "active"'



####2.4 Password Policy Settings
salt -N 'OS-Windows' cmd.run 'net user'

#90
salt -N 'OS-Windows' cmd.run 'net accounts | find "Maximum"'
#1
salt -N 'OS-Windows' cmd.run 'net accounts | find "Minimum password age"'
#8
salt -N 'OS-Windows' cmd.run 'net accounts | find "Minimum password length"'



####2.5 Account lock up policy settings
#30
salt -N 'OS-Windows' cmd.run 'net accounts | find "Lockout duration"'
#5
salt -N 'OS-Windows' cmd.run 'net accounts | find "Lockout threshold"'
#30
salt -N 'OS-Windows' cmd.run 'net accounts | find "Lockout observation window"'


####2.6 Enforce recent password history settings
#12
salt -N 'OS-Windows' cmd.run 'net accounts | find "Length of password"'


####2.7 Password complexity setting

#see last title 'security group policy check'



####2.8 Deactivate encryption settings

#see last title 'security group policy check'



####2.10 User Account Control Settings
#5 or 0x5
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin ' | grep -E ":|REG"



####2.11 Use vulnerable password
#This one we are using Password Generator, which helps us generate more than 12 length password.



####3.1 user directory access authority setting
#no "everyone"
salt -N 'OS-Windows' cmd.run 'icacls C:\Users ' | find "Everyone"'



####3.2 SAM file access authority setting

#no group "Users"
salt -N 'OS-Windows' cmd.run 'icacls "C:\windows/system32/config/SAM"'  |  find "Users"'
#icacls "C:\windows/system32/config/SAM" /remove [users or groups]



####3.3 Use system basic public folder
#no admin$ \ Drive share
salt -N 'OS-Windows' cmd.run 'net share'



####3.4 User sharing folder setting
#net share --> get list of sharing folders ,remove unnecessary sharing folders. About D E F, maybe can consider only give access to administrators group 
#net share sharename=drive:path /GRANT:user,[READ | CHANGE | FULL] /GRANT:user,[READ | CHANGE | FULL]"


####4.1 NetBIOS binding
#shows long message
salt -N 'OS-Windows' cmd.run 'wmic nicconfig where TcpipNetbiosOptions=2'

#or try to see 0 or 1, "No Instance(s) Avaliable"
salt -N 'OS-Windows' cmd.run 'wmic nicconfig where TcpipNetbiosOptions=0'
salt -N 'OS-Windows' cmd.run 'wmic nicconfig where TcpipNetbiosOptions=1'


####4.2 SMTP replay restriction 
#show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "smtpsvc" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "smtpsvc" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "smtpsvc" | find "START_TYPE"'


####4.3 Telnet security setting
#show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "telnet" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "telnet" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "telnet" | find "START_TYPE"'



####4.4 SNMP security setting
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "SNMPTRAP" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "SNMPTRAP" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "SNMPTRAP" | find "START_TYPE"'



####4.5 Terminal service security setting
#0x2 2
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel' | grep -E ":|REG"



####4.6 Remote terminal access timeout setting
#0x5265c00 86400000
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxIdleTime' | grep -E ":|REG"


####4.7 DNS security setting
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "dns" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "dns" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "dns" | find "START_TYPE"'


####4.8 DNS Zone Transfer setting
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "dns" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "dns" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "dns" | find "START_TYPE"'



####4.9 unnecessary service 
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "Alerter" '
#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "Alerter" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "Alerter" | find "START_TYPE"'

show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "ClipSrv" '
#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "ClipSrv" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "ClipSrv" | find "START_TYPE"'

show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "Messenger" '
#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "Messenger" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "Messenger" | find "START_TYPE"'

show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "simptcp" '
#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "simptcp" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "simptcp" | find "START_TYPE"'


####5.1 Auto Logon restriction 
#show "unabl to find" 
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword' | grep -E ":|REG"
# 0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon' | grep -E ":|REG"


###5.2 Null Session restriction
# 0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous' | grep -E ":|REG"
# 0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam' | grep -E ":|REG"
# 0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v restrictnullsessaccess' | grep -E ":|REG"



####5.3 remote registry access restriction 
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "RemoteRegistry" '
#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "RemoteRegistry" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "RemoteRegistry" | find "START_TYPE"'



####5.4 DoS attack defense setting
# 0x2
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SynAttackProtect' | grep -E ":|REG"
#Disables dead gateway detection
# 0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableDeadGWDetect' | grep -E ":|REG"
#Determines how often TCP sends keep-alive transmissions. TCP sends keep-alive transmissions to verify that an idle connection is still active.
# 0x493e0
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v KeepAliveTime' | grep -E ":|REG"

#The NetBIOS name for the system will no longer appear under ‘My Network Places’.
#0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NoNameReleaseOnDemand' | grep -E ":|REG"



###:6.1 audit policy setting
# success and failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Account Management" '
# success and failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Account Logon" '
#failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Privilege Use" '
# success and failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"DS Access" '
# success and failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Logon/Logoff" '
# success and failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Policy change" '
# success
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"System" '
# failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Detailed Tracking" '
# failure
salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Object Access" '



####6.2 Remote log file access authority setting
#no group 'everyone'
salt -N 'OS-Windows' cmd.run 'icacls C:\Windows\System32\config' | find "Everyone"' 

####6.3 event log setting
# 0x5000000 83886080
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security /v MaxSize ' | grep -E ":|REG"


####7.1 the last user name display restriction
#default setting is enable
#0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername' | grep -E ":|REG"


####7.2 Set messagers for users try to logon
#warn
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption' | grep -E ":|REG"

#big brother is watching you
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext' | grep -E ":|REG"



####7.3 Restriction for Forcing to terminate system in remote system 
#see last title 'security group policy check'



####7.4 restriction for Terminating system without logon
#Default on servers:Disabled
#0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v shutdownwithoutlogon' | grep -E ":|REG"


####7.5 system termination restriction 
#see last title 'security group policy check'



####7.6 Set popup message to users before password expired.
#0xe
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning' | grep -E ":|REG"


####7.7 Do not immediately terminate the system if security audit can’t log 
#Default: Disabled.
#0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v CrashOnAuditFail' | grep -E ":|REG"



####7.8 LAN MANAGER certification level
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel' | grep -E ":|REG"



####7.9 Digital encrypted and signature of security channel
#Default:Enable
#0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v RequireSignOrSeal' | grep -E ":|REG"
#0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v SealSecureChannel' | grep -E ":|REG"
#0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v SignSecureChannel' | grep -E ":|REG"



####7.10 Required time before session disconnected
#Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
#0xf
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Print Services" /v autodisconnect' | grep -E ":|REG"


####7.11 Removable media format and bringing out restriction 
#0
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateDASD' | grep -E ":|REG"


####7.12 Restrict using blank password in local account at local logon
#Default: Enabled
#0x1
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse' | grep -E ":|REG"



####7.13 Allow changing NULL SID/name restriction 
#Default on workstations and member servers: Disabled.
#see last title 'security group policy check'



####7.14 Restricting Everyone authority to NULL user
#Default: Disabled.
#0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous' | grep -E ":|REG"


####7.15 computer account password restriction 
#0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" /v DisablePasswordChange' | grep -E ":|REG"

#0x5a
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" /v MaximumPasswordAge' | grep -E ":|REG"


####7.16 Restriction for user installing printer driver
#0x0
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services" /v AddPrinterDrivers' | grep -E ":|REG"



####e1.MaxIdleTime & MaxConnectionTime

#0x1b7740   disconnect after 30min no operate [only on CM]

salt -N OS-Windows cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxIdleTime' | grep -E ":|REG"



#0x5265c00 1day logoff disconnected user [ logD0* exclude ]
salt -N OS-Windows cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime ' | grep -E ":|REG"



####e2.disable USB on servers
#0x4
salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start' | grep -E ":|REG"



#### e3.disable all disconnected network interface

salt '*' cmd.run ' netsh interface show interface | find "Disconnected" ' #check all "Disconnected" is "Disabled"





#### e4.disable all DB server external interface

salt -N DB cmd.run ' ipconfig /all | findstr "IPv4" '   #check no external IP exsit



#### e5.MinEncryptionLevel   

#gpedit.msc -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Set client connection encryption level -> "Enabled" -> "Client Compatible"

#0x2   MinEncryptionLevel REG_DWORD   [ logD0* exclude ]
salt -N OS-Windows cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MinEncryptionLevel' | grep -E ":|REG"


####:added1
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "WinRM" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "WinRM" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "WinRM" | find "START_TYPE"'



####:added2
show does not exist
salt -N 'OS-Windows' cmd.run 'sc query "SNMP" '

#or
#show stopped
salt -N 'OS-Windows' cmd.run 'sc query "SNMP" | find "STATE"' 
#show disabled
salt -N 'OS-Windows' cmd.run 'sc qc "SNMP" | find "START_TYPE"'



####security group policy check

#export 
salt -N 'OS-Windows' cmd.run 'pushd C:\ && secedit /export /cfg newexport.inf'

#0
salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "ClearTextPassword" newexport.inf'
#1
salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "PasswordComplexity" newexport.inf'
#0
salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "LSAAnonymousNameLookup" newexport.inf'
#*S-1-5-32-544
salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "SeRemoteShutdownPrivilege" newexport.inf'
#*S-1-5-32-544
salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "SeShutdownPrivilege" newexport.inf'

#delete exported inf file
salt -N 'OS-Windows' cmd.run 'pushd C:\ && del newexport.inf'

Previous7.OS_Harden Nextsecurity_policy_command.bat

Last updated 6 years ago

####2.1 Remove unnecessary user accounts in administrator group, manual confirm #show all users in administrators group salt -N 'OS-Windows' cmd.run 'net localgroup administrators' #delete salt -N 'OS-Windows' cmd.run 'net localgroup administrators user1 /delete'"' #2.2 Disable Guest Account #no salt -N 'OS-Windows' cmd.run 'net user guest | find "active"' ####2.3 Delete unnecessary account management salt -N 'OS-Windows' cmd.run 'net user' #show all users , then decide which account should be delete salt -N 'OS-Windows' cmd.run 'net user [users] /delete' ####2.9 Change Admin account name #yes salt -N 'OS-Windows' cmd.run 'net user Starbucks | find "active"' ####2.4 Password Policy Settings salt -N 'OS-Windows' cmd.run 'net user' #90 salt -N 'OS-Windows' cmd.run 'net accounts | find "Maximum"' #1 salt -N 'OS-Windows' cmd.run 'net accounts | find "Minimum password age"' #8 salt -N 'OS-Windows' cmd.run 'net accounts | find "Minimum password length"' ####2.5 Account lock up policy settings #30 salt -N 'OS-Windows' cmd.run 'net accounts | find "Lockout duration"' #5 salt -N 'OS-Windows' cmd.run 'net accounts | find "Lockout threshold"' #30 salt -N 'OS-Windows' cmd.run 'net accounts | find "Lockout observation window"' ####2.6 Enforce recent password history settings #12 salt -N 'OS-Windows' cmd.run 'net accounts | find "Length of password"' ####2.7 Password complexity setting #see last title 'security group policy check' ####2.8 Deactivate encryption settings #see last title 'security group policy check' ####2.10 User Account Control Settings #5 or 0x5 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin ' | grep -E ":|REG" ####2.11 Use vulnerable password #This one we are using Password Generator, which helps us generate more than 12 length password. ####3.1 user directory access authority setting #no "everyone" salt -N 'OS-Windows' cmd.run 'icacls C:\Users ' | find "Everyone"' ####3.2 SAM file access authority setting #no group "Users" salt -N 'OS-Windows' cmd.run 'icacls "C:\windows/system32/config/SAM"' | find "Users"' #icacls "C:\windows/system32/config/SAM" /remove [users or groups] ####3.3 Use system basic public folder #no admin$ \ Drive share salt -N 'OS-Windows' cmd.run 'net share' ####3.4 User sharing folder setting #net share --> get list of sharing folders ,remove unnecessary sharing folders. About D E F, maybe can consider only give access to administrators group #net share sharename=drive:path /GRANT:user,[READ | CHANGE | FULL] /GRANT:user,[READ | CHANGE | FULL]" ####4.1 NetBIOS binding #shows long message salt -N 'OS-Windows' cmd.run 'wmic nicconfig where TcpipNetbiosOptions=2' #or try to see 0 or 1, "No Instance(s) Avaliable" salt -N 'OS-Windows' cmd.run 'wmic nicconfig where TcpipNetbiosOptions=0' salt -N 'OS-Windows' cmd.run 'wmic nicconfig where TcpipNetbiosOptions=1' ####4.2 SMTP replay restriction #show does not exist salt -N 'OS-Windows' cmd.run 'sc query "smtpsvc" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "smtpsvc" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "smtpsvc" | find "START_TYPE"' ####4.3 Telnet security setting #show does not exist salt -N 'OS-Windows' cmd.run 'sc query "telnet" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "telnet" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "telnet" | find "START_TYPE"' ####4.4 SNMP security setting show does not exist salt -N 'OS-Windows' cmd.run 'sc query "SNMPTRAP" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "SNMPTRAP" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "SNMPTRAP" | find "START_TYPE"' ####4.5 Terminal service security setting #0x2 2 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel' | grep -E ":|REG" ####4.6 Remote terminal access timeout setting #0x5265c00 86400000 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxIdleTime' | grep -E ":|REG" ####4.7 DNS security setting show does not exist salt -N 'OS-Windows' cmd.run 'sc query "dns" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "dns" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "dns" | find "START_TYPE"' ####4.8 DNS Zone Transfer setting show does not exist salt -N 'OS-Windows' cmd.run 'sc query "dns" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "dns" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "dns" | find "START_TYPE"' ####4.9 unnecessary service show does not exist salt -N 'OS-Windows' cmd.run 'sc query "Alerter" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "Alerter" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "Alerter" | find "START_TYPE"' show does not exist salt -N 'OS-Windows' cmd.run 'sc query "ClipSrv" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "ClipSrv" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "ClipSrv" | find "START_TYPE"' show does not exist salt -N 'OS-Windows' cmd.run 'sc query "Messenger" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "Messenger" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "Messenger" | find "START_TYPE"' show does not exist salt -N 'OS-Windows' cmd.run 'sc query "simptcp" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "simptcp" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "simptcp" | find "START_TYPE"' ####5.1 Auto Logon restriction #show "unabl to find" salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword' | grep -E ":|REG" # 0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon' | grep -E ":|REG" ###5.2 Null Session restriction # 0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous' | grep -E ":|REG" # 0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam' | grep -E ":|REG" # 0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v restrictnullsessaccess' | grep -E ":|REG" ####5.3 remote registry access restriction show does not exist salt -N 'OS-Windows' cmd.run 'sc query "RemoteRegistry" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "RemoteRegistry" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "RemoteRegistry" | find "START_TYPE"' ####5.4 DoS attack defense setting # 0x2 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SynAttackProtect' | grep -E ":|REG" #Disables dead gateway detection # 0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableDeadGWDetect' | grep -E ":|REG" #Determines how often TCP sends keep-alive transmissions. TCP sends keep-alive transmissions to verify that an idle connection is still active. # 0x493e0 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v KeepAliveTime' | grep -E ":|REG" #The NetBIOS name for the system will no longer appear under ‘My Network Places’. #0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NoNameReleaseOnDemand' | grep -E ":|REG" ###:6.1 audit policy setting # success and failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Account Management" ' # success and failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Account Logon" ' #failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Privilege Use" ' # success and failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"DS Access" ' # success and failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Logon/Logoff" ' # success and failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Policy change" ' # success salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"System" ' # failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Detailed Tracking" ' # failure salt -N 'OS-Windows' cmd.run 'AuditPol /Get /Category:"Object Access" ' ####6.2 Remote log file access authority setting #no group 'everyone' salt -N 'OS-Windows' cmd.run 'icacls C:\Windows\System32\config' | find "Everyone"' ####6.3 event log setting # 0x5000000 83886080 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security /v MaxSize ' | grep -E ":|REG" ####7.1 the last user name display restriction #default setting is enable #0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername' | grep -E ":|REG" ####7.2 Set messagers for users try to logon #warn salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption' | grep -E ":|REG" #big brother is watching you salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext' | grep -E ":|REG" ####7.3 Restriction for Forcing to terminate system in remote system #see last title 'security group policy check' ####7.4 restriction for Terminating system without logon #Default on servers:Disabled #0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v shutdownwithoutlogon' | grep -E ":|REG" ####7.5 system termination restriction #see last title 'security group policy check' ####7.6 Set popup message to users before password expired. #0xe salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning' | grep -E ":|REG" ####7.7 Do not immediately terminate the system if security audit can’t log #Default: Disabled. #0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v CrashOnAuditFail' | grep -E ":|REG" ####7.8 LAN MANAGER certification level salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel' | grep -E ":|REG" ####7.9 Digital encrypted and signature of security channel #Default:Enable #0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v RequireSignOrSeal' | grep -E ":|REG" #0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v SealSecureChannel' | grep -E ":|REG" #0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v SignSecureChannel' | grep -E ":|REG" ####7.10 Required time before session disconnected #Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. #0xf salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Print Services" /v autodisconnect' | grep -E ":|REG" ####7.11 Removable media format and bringing out restriction #0 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateDASD' | grep -E ":|REG" ####7.12 Restrict using blank password in local account at local logon #Default: Enabled #0x1 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse' | grep -E ":|REG" ####7.13 Allow changing NULL SID/name restriction #Default on workstations and member servers: Disabled. #see last title 'security group policy check' ####7.14 Restricting Everyone authority to NULL user #Default: Disabled. #0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous' | grep -E ":|REG" ####7.15 computer account password restriction #0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" /v DisablePasswordChange' | grep -E ":|REG" #0x5a salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" /v MaximumPasswordAge' | grep -E ":|REG" ####7.16 Restriction for user installing printer driver #0x0 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services" /v AddPrinterDrivers' | grep -E ":|REG" ####e1.MaxIdleTime & MaxConnectionTime #0x1b7740 disconnect after 30min no operate [only on CM] salt -N OS-Windows cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxIdleTime' | grep -E ":|REG" #0x5265c00 1day logoff disconnected user [ logD0* exclude ] salt -N OS-Windows cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime ' | grep -E ":|REG" ####e2.disable USB on servers #0x4 salt -N 'OS-Windows' cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start' | grep -E ":|REG" #### e3.disable all disconnected network interface salt '*' cmd.run ' netsh interface show interface | find "Disconnected" ' #check all "Disconnected" is "Disabled" #### e4.disable all DB server external interface salt -N DB cmd.run ' ipconfig /all | findstr "IPv4" ' #check no external IP exsit #### e5.MinEncryptionLevel #gpedit.msc -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Set client connection encryption level -> "Enabled" -> "Client Compatible" #0x2 MinEncryptionLevel REG_DWORD [ logD0* exclude ] salt -N OS-Windows cmd.run 'REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MinEncryptionLevel' | grep -E ":|REG" ####:added1 show does not exist salt -N 'OS-Windows' cmd.run 'sc query "WinRM" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "WinRM" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "WinRM" | find "START_TYPE"' ####:added2 show does not exist salt -N 'OS-Windows' cmd.run 'sc query "SNMP" ' #or #show stopped salt -N 'OS-Windows' cmd.run 'sc query "SNMP" | find "STATE"' #show disabled salt -N 'OS-Windows' cmd.run 'sc qc "SNMP" | find "START_TYPE"' ####security group policy check #export salt -N 'OS-Windows' cmd.run 'pushd C:\ && secedit /export /cfg newexport.inf' #0 salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "ClearTextPassword" newexport.inf' #1 salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "PasswordComplexity" newexport.inf' #0 salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "LSAAnonymousNameLookup" newexport.inf' #*S-1-5-32-544 salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "SeRemoteShutdownPrivilege" newexport.inf' #*S-1-5-32-544 salt -N 'OS-Windows' cmd.run 'pushd C:\ && find "SeShutdownPrivilege" newexport.inf' #delete exported inf file salt -N 'OS-Windows' cmd.run 'pushd C:\ && del newexport.inf'