AD Security Checklist yazımda sizlere Powershell yardımı ile Active Directory security nasıl kontrol edilir bunu göstermiş olacağım. Buradaki ana amaç Domain Controller güvenliği olacaktır. Domain Controller’a uygulanan policyler ve security baseline göre bazı kontroller bulunmaktadır.
Görselleştirme için PSWriteHTML kullandım. Sizlerde module download edip import etmeniz gerekmektedir. Değerler tamamen security baseline göre alınmıştır.
- Password Policy
- Lockout Policy
- Security Templates
- User Right Assignment
- Administrative Templates
- Kritik hesaplar
- Windows Güvenliği ve sağlığı
- Userların istatislikleri
- Admin Grupları
- AD Functions
gibi tüm noktaları kontrol ederek sizlere görselleştirme yapacaktır.
Görseldeki gibi kırmızı veya yeşil alacaksınız. Olması gereken değerler aşağısında yazmaktadır.
Burada önemli noktalardan biri Domain Controllers OU suna uygulanan Policyler üzerinden alınmasıdır. GPO lar parse edilerek ve registry değerleri baz alınarak sonuçlar elde edilmiştir. Bu yazımda Version1 olarak paylaştım ilerleyen dönemlerde daha farklı sürümler yapılacaktır.
Import-Module .\PSWriteHTML.psd1 -Force
$DCOUCheck=Get-ADOrganizationalUnit -Filter * | where {$_.Name -eq "Domain Controllers"} | Select DistinguishedName
New-HTML -TitleText 'Active Directory Checking' -Online {
$allgpoenabled=(Get-GPInheritance -Target $DCOUCheck.DistinguishedName).InheritedGpoLinks | select -Property GpoId,DisplayName
$allgpoenabledgpoid=$allgpoenabled.gpoID
function UserrightManagement{
foreach($gpoid in $allgpoenabledgpoid){
[xml]$GpoXml=Get-GPOReport -guid "$gpoid" -ReportType xml
$resultassigment=foreach($gpouserright in $GpoXml.GPO.Computer.ExtensionData.extension.UserRightsAssignment){
$name=$gpouserright.name
foreach($a in $gpouserright.Member.Name) {
$groupname=$a.'#text'
[PSCustomObject]@{
"UserRightAssesmentName"=$name
"GroupsorUsers"=$groupname
}
}
}
$resultassigment
}
}
function ComputerPolicy{
foreach($gpoid in $allgpoenabledgpoid){
[xml]$GpoXml=Get-GPOReport -guid "$gpoid" -ReportType xml
$computerpolicy=foreach($gpopol in $GpoXml.GPO.Computer.ExtensionData.extension.Policy){
[PsCustomObject]@{
Name = $gpopol.Name
State=$gpopol.State
dropdownlistvaluename = $gpopol.DropDownList.Value.name
listbox=$gpopol.ListBox.value.Element.data
listboxname=$gpopol.ListBox.value.Element.name
}
}
$computerpolicy
}
}
function SecuritySettings{
foreach($gpoid in $allgpoenabledgpoid){
[xml]$GpoXml=Get-GPOReport -guid "$gpoid" -ReportType xml
$Securitysettings=foreach($gposec in $GpoXml.GPO.Computer.ExtensionData.extension.SecurityOptions){
[PsCustomObject]@{
KeyName = $gposec.KeyName
OtherKeyName=$gposec.SystemAccessPolicyName
SettingNumber = $gposec.SettingNumber
Display = $gposec.Display.Name
}
}
$Securitysettings
}
}
function Account{
foreach($gpoid in $allgpoenabledgpoid){
[xml]$GpoXml=Get-GPOReport -guid "$gpoid" -ReportType xml
$Account=foreach($gpoaccount in $GpoXml.GPO.Computer.ExtensionData.extension.Account){
[PsCustomObject]@{
Name = $gpoaccount.Name
SettingNumber = $gpoaccount.SettingNumber
SettingBoolean=$gpoaccount.SettingBoolean
Type = $gpoaccount.Type
}
}
$Account
}
}
function Audit{
foreach($gpoid in $allgpoenabledgpoid){
[xml]$GpoXml=Get-GPOReport -guid "$gpoid" -ReportType xml
$AuditSetting=foreach($gpoaudit in $GpoXml.GPO.Computer.ExtensionData.extension.AuditSetting){
[PsCustomObject]@{
SubcategoryName = $gpoaudit.SubcategoryName
SettingValue=$gpoaudit.SettingValue
}
}
$AuditSetting
}
}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Password Policy'
New-HTMLPanel -Invisible {
$passwordpolicysecurepoint=0
##LockOutDuration
$lockoutduration=Account | where {$_.Name -eq "LockoutDuration"} | select Name,SettingNumber
if($lockoutduration -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Lockout Duration' -Status "Setting is Not Defined $($lockoutduration.SettingNumber)" -Icon Bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 15' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "lockoutduration is defined" -ForegroundColor Green
if($lockoutduration.SettingNumber -eq 15){
New-HTMLStatus { New-HTMLStatusItem -Name 'Lockout Duration' -Status "Setting is True $($lockoutduration.SettingNumber)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 10
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Lockout Duration' -Status "Setting is False $($lockoutduration.SettingNumber)" -Icon Bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 15' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
##LockOutThreshold
$LockOutThreshold=Account | where {$_.Name -eq "LockoutBadCount"} | select Name,SettingNumber
if($LockOutThreshold -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Lockout Bad Count' -Status "Setting is Defined $($LockOutThreshold.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 10' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "LockOutThreshold is defined" -ForegroundColor Green
if($LockOutThreshold.SettingNumber -eq 10){
New-HTMLStatus { New-HTMLStatusItem -Name 'Lockout Bad Count' -Status "Setting is True $($LockOutThreshold.SettingNumbe)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 10
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Lockout Bad Count' -Status "Setting is False $($LockOutThreshold.SettingNumber)" -Icon Bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 10' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#ResetLockoutCount
$ResetLockoutCount=Account | where {$_.Name -eq "ResetLockoutCount"} | select Name,SettingNumber
if($ResetLockoutCount -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Reset account lockout counter after' -Status "Setting is Not Defined $($ResetLockoutCount.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 15' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "ResetLockoutCount is defined" -ForegroundColor Green
if($ResetLockoutCount.SettingNumber -eq 15){
New-HTMLStatus { New-HTMLStatusItem -Name 'Reset account lockout counter after' -Status "Setting is True $($ResetLockoutCount.SettingNumber)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 10
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Reset account lockout counter after' -Status "Setting is False $($ResetLockoutCount.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 15' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#PasswordHistorySize
$PasswordHistorySize=Account | where {$_.Name -eq "PasswordHistorySize"} | select Name,SettingNumber
if($PasswordHistorySize -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Enforce password history' -Status "Setting is Not Defined $($PasswordHistorySize.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 24' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "PasswordHistorySize is defined" -ForegroundColor Green
if($PasswordHistorySize.SettingNumber -eq 24){
New-HTMLStatus { New-HTMLStatusItem -Name 'Enforce password history' -Status "Setting is True $($PasswordHistorySize.SettingNumber)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 10
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Enforce password history' -Status "Setting is False $($PasswordHistorySize.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 24' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#MinimumPasswordAge
$MinimumPasswordAge=Account | where {$_.Name -eq "MinimumPasswordAge"} | select Name,SettingNumber
if($MinimumPasswordAge -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Minimun Password Age' -Status "Setting is not Defined $($MinimumPasswordAge.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 1' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "MinimumPasswordAge is defined" -ForegroundColor Green
if($MinimumPasswordAge.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Minimun Password Age' -Status "Setting is True $($MinimumPasswordAge.SettingNumber)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 10
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Minimun Password Age' -Status "Setting is False $($MinimumPasswordAge.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 1 ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#MaximumPasswordAge
$MaximumPasswordAge=Account | where {$_.Name -eq "MaximumPasswordAge"} | select Name,SettingNumber
if($MaximumPasswordAge -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Maximum Password Age' -Status "Setting is not Defined $($MaximumPasswordAge.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 60' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "MaximumPasswordAge is defined" -ForegroundColor Green
if($MaximumPasswordAge.SettingNumber -eq 60){
New-HTMLStatus { New-HTMLStatusItem -Name 'Maximum Password Age' -Status "Setting is True $($MaximumPasswordAge.SettingNumber)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 15
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Maximum Password Age' -Status "Setting is False $($MaximumPasswordAge.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 60' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#MinimumPasswordLength
$MinimumPasswordLength=Account | where {$_.Name -eq "MinimumPasswordLength"} | select Name,SettingNumber
if($MinimumPasswordLength -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Minumum Password Length' -Status "Setting is not Defined $($MinimumPasswordLength.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 14 ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "MinimumPasswordLength is defined" -ForegroundColor Green
if($MinimumPasswordLength.SettingNumber -eq 14){
New-HTMLStatus { New-HTMLStatusItem -Name 'Minumum Password Length' -Status "Setting is True $($MinimumPasswordLength.SettingNumber)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 15
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Minumum Password Length' -Status "Setting is False $($MinimumPasswordLength.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 14 ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#PasswordComplexity
$PasswordComplexity=Account | where {$_.Name -eq "PasswordComplexity"} | select Name,SettingBoolean
if($PasswordComplexity -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Complexity' -Status "Setting is not Defined $($PasswordComplexity.SettingBoolean)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
if($PasswordComplexity.SettingBoolean -eq $true){
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Complexity' -Status "Setting is True $($PasswordComplexity.SettingBoolean)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 15
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Complexity' -Status "Setting is not Defined $($PasswordComplexity.SettingBoolean)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
#ClearTextPassword
$ClearTextPassword=Account | where {$_.Name -eq "ClearTextPassword"} | select Name,SettingBoolean
if($ClearTextPassword -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Store passwords using reversible encryption' -Status "Setting is not Defined $($ClearTextPassword.SettingBoolean)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
else {
Write-Host "ClearTextPassword is defined" -ForegroundColor Green
if($ClearTextPassword.SettingBoolean -eq $true){
New-HTMLStatus { New-HTMLStatusItem -Name 'Store passwords using reversible encryption' -Status "Setting is True $($ClearTextPassword.SettingBoolean)" -Icon Good -Percentage '100%' }
$passwordpolicysecurepoint += 10
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Store passwords using reversible encryption' -Status "Setting is not Defined $($ClearTextPassword.SettingBoolean)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
$passwordpolicysecurepoint += 0
}
}
New-HTMLChart {
New-ChartRadial -Name "PasswordPolicy Score" -Value $passwordpolicysecurepoint -Color Green
New-ChartRadialOptions -CircleType SemiCircleGauge
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Security Templates'
New-HTMLPanel -Invisible {
#AccountsBlankConsole
$AccountsBlankConsole=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse"} | select Display,SettingNumber
if($AccountsBlankConsole -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Accounts: Limit local account use of blank passwords to console logon only' -Status "Setting is Default True $($AccountsBlankConsole.SettingNumber)" -Icon Good -Percentage '100%' }
}
else {
Write-Host "AccountsBlankConsole is defined" -ForegroundColor Green
if($AccountsBlankConsole.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Accounts: Limit local account use of blank passwords to console logon only' -Status "Setting is True $($AccountsBlankConsole.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Accounts: Limit local account use of blank passwords to console logon only' -Status "Setting is not Defined $($AccountsBlankConsole.SettingNumbe)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##Başlandı###
#AuditPolicyCategorySettings
$AuditPolicyCategorySettings=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy"} | select Display,SettingNumber
if($AuditPolicyCategorySettings -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "AuditPolicyCategorySettings is defined" -ForegroundColor Green
if($AuditPolicyCategorySettings.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' -Status "Setting is True $($AuditPolicyCategorySettings.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' -Status "Setting is False $($AuditPolicyCategorySettings.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainControllerLpadsigning
$DomainControllerLpadsigning=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity"} | select Display,SettingNumber
if($DomainControllerLpadsigning -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain controller: LDAP server signing requirements' -Status "Setting is False $($DomainControllerLpadsigning.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Require signing' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "DomainControllerLpadsigning is defined" -ForegroundColor Green
if($DomainControllerLpadsigning.SettingNumber -eq 2){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain controller: LDAP server signing requirements' -Status "Setting is True $($DomainControllerLpadsigning.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain controller: LDAP server signing requirements' -Status "Setting is False $($DomainControllerLpadsigning.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Require signing' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainControllerrefusemachinepass
$DomainControllerrefusemachinepass=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange"} | select Display,SettingNumber
if($DomainControllerrefusemachinepass -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain controller: Refuse machine account password changes' -Status "Setting is Default Disabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainControllerrefusemachinepass is defined" -ForegroundColor Green
if($DomainControllerrefusemachinepass.SettingNumber -eq 0){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain controller: Refuse machine account password changes' -Status "Setting is True $($DomainControllerrefusemachinepass.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain controller: Refuse machine account password changes' -Status "Setting is False $($DomainControllerrefusemachinepass.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainMemberSignalways
$DomainMemberSignalways=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal"} | select Display,SettingNumber
if($DomainMemberSignalways -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally encrypt or sign secure channel data (always) ' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainMemberSignalways is defined" -ForegroundColor Green
if($DomainMemberSignalways.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally encrypt or sign secure channel data (always)' -Status "Setting is True $($DomainMemberSignalways.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally encrypt or sign secure channel data (always)' -Status "Setting is False $($DomainMemberSignalways.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainMemberSignwhenpossible
$DomainMemberSignwhenpossible=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel"} | select Display,SettingNumber
if($DomainMemberSignwhenpossible -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally encrypt secure channel data (when possible) ' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainMemberSignwhenpossible is defined" -ForegroundColor Green
if($DomainMemberSignwhenpossible.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally encrypt secure channel data (when possible)' -Status "Setting is True $($DomainMemberSignwhenpossible.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally encrypt secure channel data (when possible)' -Status "Setting is False $($DomainMemberSignwhenpossible.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainMemberSignwhenpossiblechannel
$DomainMemberSignwhenpossiblechannel=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel"} | select Display,SettingNumber
if($DomainMemberSignwhenpossiblechannel -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally sign secure channel data (when possible) ' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainMemberSignwhenpossiblechannel is defined" -ForegroundColor Green
if($DomainMemberSignwhenpossiblechannel.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally sign secure channel data (when possible)' -Status "Setting is True $($DomainMemberSignwhenpossiblechannel.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Digitally sign secure channel data (when possible)' -Status "Setting is False $($DomainMemberSignwhenpossiblechannel.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainMemberdisablemachinepass
$DomainMemberdisablemachinepass=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange"} | select Display,SettingNumber
if($DomainMemberdisablemachinepass -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Disable machine account password changes ' -Status "Setting is Default Disabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainMemberdisablemachinepass is defined" -ForegroundColor Green
if($DomainMemberdisablemachinepass.SettingNumber -eq 0){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Disable machine account password changes' -Status "Setting is True $($DomainMemberdisablemachinepass.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Disable machine account password changes' -Status "Setting is False $($DomainMemberdisablemachinepass.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainMembermaxmacpassage
$DomainMembermaxmacpassage=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge"} | select Display,SettingNumber
if($DomainMembermaxmacpassage -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name ' Domain member: Maximum machine account password age' -Status "Setting is Default 30 Days" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainMembermaxmacpassage is defined" -ForegroundColor Green
if($DomainMembermaxmacpassage.SettingNumber -eq 30){
New-HTMLStatus { New-HTMLStatusItem -Name ' Domain member: Maximum machine account password age' -Status "Setting is True $($DomainMembermaxmacpassage.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name '' -Status "Setting is False $($DomainMembermaxmacpassage.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 30 Days ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#DomainMembersessionkey
$DomainMembersessionkey=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey"} | select Display,SettingNumber
if($DomainMembersessionkey -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Require strong (Windows 2000 or later) session key ' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "DomainMembersessionkey is defined" -ForegroundColor Green
if($DomainMembersessionkey.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Require strong (Windows 2000 or later) session key' -Status "Setting is True $($DomainMembersessionkey.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain member: Require strong (Windows 2000 or later) session key' -Status "Setting is False $($DomainMembersessionkey.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Interactiveinactivelimit
$Interactiveinactivelimit=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs"} | select Display,SettingNumber
if($Interactiveinactivelimit -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Interactive logon: Machine inactivity limit' -Status "Setting is not Defined $($Interactiveinactivelimit.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 900 ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Interactiveinactivelimit is defined" -ForegroundColor Green
if($Interactiveinactivelimit.SettingNumber -eq 900){
New-HTMLStatus { New-HTMLStatusItem -Name 'Interactive logon: Machine inactivity limit' -Status "Setting is True $($Interactiveinactivelimit.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Interactive logon: Machine inactivity limit' -Status "Setting is not Defined $($Interactiveinactivelimit.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be 900 ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#MSnetworkclientdigitalsignalways
$MSnetworkclientdigitalsignalways=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature"} | select Display,SettingNumber
if($MSnetworkclientdigitalsignalways -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network client: Digitally sign communications (always)' -Status "Setting is not Defined $($MSnetworkclientdigitalsignalways.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "MSnetworkclientdigitalsignalways is defined" -ForegroundColor Green
if($MSnetworkclientdigitalsignalways.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network client: Digitally sign communications (always)' -Status "Setting is True $($MSnetworkclientdigitalsignalways.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network client: Digitally sign communications (always)' -Status "Setting is not Defined $($MSnetworkclientdigitalsignalways.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#MSnetworkclient3partysmbserver
$MSnetworkclient3partysmbserver=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword"} | select Display,SettingNumber
if($MSnetworkclient3partysmbserver -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name ' Microsoft network client: Send unencrypted password to third-party SMB servers' -Status "Setting is Default Disabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "MSnetworkclient3partysmbserver is defined" -ForegroundColor Green
if($MSnetworkclient3partysmbserver.SettingNumber -eq 0){
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network client: Send unencrypted password to third-party SMB servers' -Status "Setting is True $($MSnetworkclient3partysmbserver.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network client: Send unencrypted password to third-party SMB servers' -Status "Setting is False $($MSnetworkclient3partysmbserver.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#MSnetworkserverdigitalsignalways
$MSnetworkserverdigitalsignalways=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature"} | select Display,SettingNumber
if($MSnetworkserverdigitalsignalways -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name ' Microsoft network server: Digitally sign communications (always)' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "MSnetworkserverdigitalsignalways is defined" -ForegroundColor Green
if($MSnetworkserverdigitalsignalways.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network server: Digitally sign communications (always)' -Status "Setting is True $($MSnetworkserverdigitalsignalways.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Microsoft network server: Digitally sign communications (always)' -Status "Setting is False $($MSnetworkserverdigitalsignalways.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkAccessenumSamaccounts
$NetworkAccessenumSamaccounts=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous"} | select Display,SettingNumber
if($NetworkAccessenumSamaccounts -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name ' Network access: Do not allow anonymous enumeration of SAM accounts' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "NetworkAccessenumSamaccounts is defined" -ForegroundColor Green
if($NetworkAccessenumSamaccounts.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Do not allow anonymous enumeration of SAM accounts' -Status "Setting is True $($NetworkAccessenumSamaccounts.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Do not allow anonymous enumeration of SAM accounts' -Status "Setting is False $($NetworkAccessenumSamaccounts.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkAccessenumSamaccountsshares
$NetworkAccessenumSamaccountsshares=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM"} | select Display,SettingNumber
if($NetworkAccessenumSamaccountsshares -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' -Status "Setting is not Defined $($NetworkAccessenumSamaccountsshares.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "NetworkAccessenumSamaccountsshares is defined" -ForegroundColor Green
if($NetworkAccessenumSamaccountsshares.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' -Status "Setting is True $($NetworkAccessenumSamaccountsshares.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' -Status "Setting is not Defined $($NetworkAccessenumSamaccountsshares.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkAccessenumSamaccountpipes
$NetworkAccessenumSamaccountpipes=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess"} | select Display,SettingNumber
if($NetworkAccessenumSamaccountpipes -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Restrict anonymous access to Named Pipes and Shares ' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "NetworkAccessenumSamaccountpipes is defined " -ForegroundColor Green
if($NetworkAccessenumSamaccountpipes.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Restrict anonymous access to Named Pipes and Shares' -Status "Setting is True $($NetworkAccessenumSamaccountpipes.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network access: Restrict anonymous access to Named Pipes and Shares' -Status "Setting is False $($NetworkAccessenumSamaccountpipes.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkSecurityLocalNullfallback
$NetworkSecurityLocalNullfallback=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback"} | select Display,SettingNumber
if($NetworkSecurityLocalNullfallback -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Allow LocalSystem NULL session fallback' -Status "Setting is not Defined $($NetworkSecurityLocalNullfallback.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "NetworkSecurityLocalNullfallback is defined " -ForegroundColor Green
if($NetworkSecurityLocalNullfallback.SettingNumber -eq 0){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Allow LocalSystem NULL session fallback' -Status "Setting is True $($NetworkSecurityLocalNullfallback.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Allow LocalSystem NULL session fallback' -Status "Setting is not Defined $($NetworkSecurityLocalNullfallback.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Disabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkSecurityLanManagervalue
$NetworkSecurityLanManagervalue=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash"} | select Display,SettingNumber
if($NetworkSecurityLanManagervalue -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Do not store LAN Manager hash value on next password change ' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "NetworkSecurityLanManagervalue is defined " -ForegroundColor Green
if($NetworkSecurityLanManagervalue.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Do not store LAN Manager hash value on next password change' -Status "Setting is True $($NetworkSecurityLanManagervalue.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Do not store LAN Manager hash value on next password change' -Status "Setting is False $($NetworkSecurityLanManagervalue.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkSecurityLanManagerauth
$NetworkSecurityLanManagerauth=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel"} | select Display,SettingNumber
if($NetworkSecurityLanManagerauth -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: LAN Manager authentication level' -Status "Setting is not Defined $($NetworkSecurityLanManagerauth.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Send NTLMv2 Responses only, Refuse LM and NTLM' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "NetworkSecurityLanManagerauth is defined " -ForegroundColor Green
if($NetworkSecurityLanManagerauth.SettingNumber -eq 5){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: LAN Manager authentication level' -Status "Setting is True $($NetworkSecurityLanManagerauth.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: LAN Manager authentication level' -Status "Setting is not Defined $($NetworkSecurityLanManagerauth.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Send NTLMv2 Responses only, Refuse LM and NTLM' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkSecurityLdapclientsign
$NetworkSecurityLdapclientsign=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity"} | select Display,SettingNumber
if($NetworkSecurityLdapclientsign -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: LDAP client signing requirements' -Status "Setting is Default Negotiate Signing" -Icon Good -Percentage '100%' }
}
else {
Write-Host "NetworkSecurityLdapclientsign is defined " -ForegroundColor Green
if($NetworkSecurityLdapclientsign.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: LDAP client signing requirements' -Status "Setting is True $($NetworkSecurityLdapclientsign.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: LDAP client signing requirements' -Status "Setting is False $($NetworkSecurityLdapclientsign.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Negotiate Signing ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkSecurityMimsessionNTLMclients
$NetworkSecurityMimsessionNTLMclients=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec"} | select Display,SettingNumber
if($NetworkSecurityMimsessionNTLMclients -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' -Status "Setting is not Defined $($NetworkSecurityMimsessionNTLMclients.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Require NTLMv2 session security, Require 128bit encryption ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "NetworkSecurityMimsessionNTLMclients is defined " -ForegroundColor Green
if($NetworkSecurityMimsessionNTLMclients.SettingNumber -eq 537395200){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' -Status "Setting is True $($NetworkSecurityMimsessionNTLMclients.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' -Status "Setting is not Defined $($NetworkSecurityMimsessionNTLMclients.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Require NTLMv2 session security, Require 128bit encryption ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#NetworkSecurityMimsessionNTLMservers
$NetworkSecurityMimsessionNTLMservers=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec"} | select Display,SettingNumber
if($NetworkSecurityMimsessionNTLMservers -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' -Status "Setting is not Defined $($NetworkSecurityMimsessionNTLMservers.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Require NTLMv2 session security, Require 128bit encryption ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "NetworkSecurityMimsessionNTLMservers is defined " -ForegroundColor Green
if($NetworkSecurityMimsessionNTLMservers.SettingNumber -eq 537395200){
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' -Status "Setting is True $($NetworkSecurityMimsessionNTLMservers.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' -Status "Setting is not Defined $($NetworkSecurityMimsessionNTLMservers.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Require NTLMv2 session security, Require 128bit encryption ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#SystemObjectstrengthenobjects
$SystemObjectstrengthenobjects=SecuritySettings | where {$_.KeyName -eq "MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode"} | select Display,SettingNumber
if($SystemObjectstrengthenobjects -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name ' System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' -Status "Setting is Default Enabled" -Icon Good -Percentage '100%' }
}
else {
Write-Host "SystemObjectstrengthenobjects is defined " -ForegroundColor Green
if($SystemObjectstrengthenobjects.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' -Status "Setting is True $($SystemObjectstrengthenobjects.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' -Status "Setting is False $($SystemObjectstrengthenobjects.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Useraccountcontroladminaprrovalbuiltin
$Useraccountcontroladminaprrovalbuiltin=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken"} | select Display,SettingNumber
if($Useraccountcontroladminaprrovalbuiltin -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Admin Approval Mode for the Built-in Administrator account' -Status "Setting is not Defined $($Useraccountcontroladminaprrovalbuiltin.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Useraccountcontroladminaprrovalbuiltin is defined " -ForegroundColor Green
if($Useraccountcontroladminaprrovalbuiltin.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Admin Approval Mode for the Built-in Administrator account' -Status "Setting is True $($Useraccountcontroladminaprrovalbuiltin.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Admin Approval Mode for the Built-in Administrator account' -Status "Setting is not Defined $($Useraccountcontroladminaprrovalbuiltin.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Useraccountcontroladminaprrovalpromptadmin
$Useraccountcontroladminaprrovalpromptadmin=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin"} | select Display,SettingNumber
if($Useraccountcontroladminaprrovalpromptadmin -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' -Status "Setting is False $($Useraccountcontroladminaprrovalbuiltin.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Prompt for consent on the secure desktop' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Useraccountcontroladminaprrovalpromptadmin is defined " -ForegroundColor Green
if($Useraccountcontroladminaprrovalpromptadmin.SettingNumber -eq 2){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' -Status "Setting is True $($Useraccountcontroladminaprrovalbuiltin.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' -Status "Setting is False $($Useraccountcontroladminaprrovalbuiltin.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Prompt for consent on the secure desktop' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Useraccountcontroladminaprrovalpromptuser
$Useraccountcontroladminaprrovalpromptuser=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser"} | select Display,SettingNumber
if($Useraccountcontroladminaprrovalpromptuser -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Behavior of the elevation prompt for standard users' -Status "Setting is not Defined $($Useraccountcontroladminaprrovalpromptuser.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Automatically deny elevation requests ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Useraccountcontroladminaprrovalpromptuser is defined " -ForegroundColor Green
if($Useraccountcontroladminaprrovalpromptuser.SettingNumber -eq 0){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Behavior of the elevation prompt for standard users' -Status "Setting is True $($Useraccountcontroladminaprrovalpromptuser.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Behavior of the elevation prompt for standard users' -Status "Setting is not Defined $($Useraccountcontroladminaprrovalpromptuser.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Automatically deny elevation requests ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Useraccountcontroldetectapp
$Useraccountcontroldetectapp=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection"} | select Display,SettingNumber
if($Useraccountcontroldetectapp -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Detect application installations and prompt for elevation' -Status "Setting is not Defined $($Useraccountcontroldetectapp.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Useraccountcontroldetectapp is defined " -ForegroundColor Green
if($Useraccountcontroldetectapp.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Detect application installations and prompt for elevation' -Status "Setting is True $($Useraccountcontroldetectapp.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Detect application installations and prompt for elevation' -Status "Setting is not Defined $($Useraccountcontroldetectapp.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#UseraccountcontrolUIaccess
$UseraccountcontrolUIaccess=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths"} | select Display,SettingNumber
if($UseraccountcontrolUIaccess -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' -Status "Setting is not Defined $($UseraccountcontrolUIaccess.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "UseraccountcontrolUIaccess is defined " -ForegroundColor Green
if($UseraccountcontrolUIaccess.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' -Status "Setting is True $($UseraccountcontrolUIaccess.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' -Status "Setting is not Defined $($UseraccountcontrolUIaccess.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Useraccountcontrolrunalladmin
$Useraccountcontrolrunalladmin=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA"} | select Display,SettingNumber
if($Useraccountcontrolrunalladmin -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Run all administrators in Admin Approval Mode' -Status "Setting is not Defined $($Useraccountcontrolrunalladmin.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Useraccountcontrolrunalladmin is defined " -ForegroundColor Green
if($Useraccountcontrolrunalladmin.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Run all administrators in Admin Approval Mode' -Status "Setting is True $($Useraccountcontrolrunalladmin.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Run all administrators in Admin Approval Mode' -Status "Setting is not Defined $($Useraccountcontrolrunalladmin.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
#Useraccountcontrolvirtalizefile
$Useraccountcontrolvirtalizefile=SecuritySettings | where {$_.KeyName -eq "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization"} | select Display,SettingNumber
if($Useraccountcontrolvirtalizefile -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Virtualize file and registry write failures to per-user locations' -Status "Setting is not Defined $($Useraccountcontrolvirtalizefile.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Useraccountcontrolvirtalizefile is defined " -ForegroundColor Green
if($Useraccountcontrolvirtalizefile.SettingNumber -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Virtualize file and registry write failures to per-user locations' -Status "Setting is True $($Useraccountcontrolvirtalizefile.SettingNumber)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'User Account Control: Virtualize file and registry write failures to per-user locations' -Status "Setting is not Defined $($Useraccountcontrolvirtalizefile.SettingNumber)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Audit Config Check'
New-HTMLPanel -Invisible {
Write-Host "--------------Audit Config Check List-------------" -ForegroundColor Blue
##Auditcredentialvalidation
$Auditcredentialvalidation=Audit | where {$_.SubCategoryName -eq "Audit Credential Validation"} | select SubCategoryName,SettingValue
if($Auditcredentialvalidation -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Credential Validation' -Status "Setting is not Defined $($Auditcredentialvalidation.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Auditcredentialvalidation is defined " -ForegroundColor Green
if($Auditcredentialvalidation.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Credential Validation' -Status "Setting is True $($Auditcredentialvalidation.SettingValue )" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Credential Validation' -Status "Setting is not Defined $($Auditcredentialvalidation.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##Auditcomputeraccount
$Auditcomputeraccount=Audit | where {$_.SubCategoryName -eq "Audit Computer Account Management"} | select SubCategoryName,SettingValue
if($Auditcomputeraccount -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Computer Account Management' -Status "Setting is not Defined $($Auditcomputeraccount.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Auditcomputeraccount is defined " -ForegroundColor Green
if($Auditcomputeraccount.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Computer Account Management' -Status "Setting is True $($Auditcomputeraccount.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Computer Account Management' -Status "Setting is not Defined $($Auditcomputeraccount.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##Auditotheraccount
$Auditotheraccount=Audit | where {$_.SubCategoryName -eq "Audit Other Account Management Events"} | select SubCategoryName,SettingValue
if($Auditotheraccount -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Account Management Events' -Status "Setting is not Defined $($Auditotheraccount.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Auditotheraccount is defined " -ForegroundColor Green
if($Auditotheraccount.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Account Management Events' -Status "Setting is True $($Auditotheraccount.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Account Management Events' -Status "Setting is not Defined $($Auditotheraccount.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##Auditsecuritygroup
$Auditsecuritygroup=Audit | where {$_.SubCategoryName -eq "Audit Security Group Management"} | select SubCategoryName,SettingValue
if($Auditsecuritygroup -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security Group Management' -Status "Setting is not Defined $($Auditsecuritygroup.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "Auditsecuritygroup is defined " -ForegroundColor Green
if($Auditsecuritygroup.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security Group Management' -Status "Setting is True $($Auditsecuritygroup.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security Group Management' -Status "Setting is not Defined $($Auditsecuritygroup.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##audituseraccount
$audituseraccount=Audit | where {$_.SubCategoryName -eq "Audit User Account Management"} | select SubCategoryName,SettingValue
if($audituseraccount -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit User Account Management' -Status "Setting is not Defined $($audituseraccount.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "audituseraccount is defined " -ForegroundColor Green
if($audituseraccount.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit User Account Management' -Status "Setting is True $($audituseraccount.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit User Account Management' -Status "Setting is not Defined $($audituseraccount.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditpnpactivity
$auditpnpactivity=Audit | where {$_.SubCategoryName -eq "Audit PNP Activity"} | select SubCategoryName,SettingValue
if($auditpnpactivity -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit PNP Activity' -Status "Setting is not Defined $($auditpnpactivity.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditpnpactivity is defined " -ForegroundColor Green
if($auditpnpactivity.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit PNP Activity' -Status "Setting is True $($auditpnpactivity.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit PNP Activity' -Status "Setting is not Defined $($auditpnpactivity.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditprocesscreation
$auditprocesscreation=Audit | where {$_.SubCategoryName -eq "Audit Process Creation"} | select SubCategoryName,SettingValue
if($auditprocesscreation -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Process Creation' -Status "Setting is not Defined $($auditprocesscreation.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditprocesscreation is defined " -ForegroundColor Green
if($auditprocesscreation.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Process Creation' -Status "Setting is True $($auditprocesscreation.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Process Creation' -Status "Setting is not Defined $($auditprocesscreation.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditdirectoryserviceaccess
$auditdirectoryserviceaccess=Audit | where {$_.SubCategoryName -eq "Audit Directory Service Access"} | select SubCategoryName,SettingValue
if($auditdirectoryserviceaccess -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Directory Service Access' -Status "Setting is not Defined $($auditdirectoryserviceaccess.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditdirectoryserviceaccess is defined " -ForegroundColor Green
if($auditdirectoryserviceaccess.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Directory Service Access' -Status "Setting is True $($auditdirectoryserviceaccess.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Directory Service Access' -Status "Setting is not Defined $($auditdirectoryserviceaccess.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditdirectoryservicechange
$auditdirectoryservicechange=Audit | where {$_.SubCategoryName -eq "Audit Directory Service Changes"} | select SubCategoryName,SettingValue
if($auditdirectoryservicechange -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Directory Service Changes' -Status "Setting is not Defined $($auditdirectoryservicechange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditdirectoryservicechange is defined " -ForegroundColor Green
if($auditdirectoryservicechange.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Directory Service Changes' -Status "Setting is True $($auditdirectoryservicechange.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Directory Service Changes' -Status "Setting is not Defined $($auditdirectoryservicechange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditaccountlockout
$auditaccountlockout=Audit | where {$_.SubCategoryName -eq "Audit Account Lockout"} | select SubCategoryName,SettingValue
if($auditaccountlockout -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Account Lockout' -Status "Setting is not Defined $($auditaccountlockout.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Failure' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditaccountlockout is defined " -ForegroundColor Green
if($auditaccountlockout.SettingValue -eq 2){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Account Lockout' -Status "Setting is True $($auditaccountlockout.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Account Lockout' -Status "Setting is not Defined $($auditaccountlockout.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Failure' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditgroupmembership
$auditgroupmembership=Audit | where {$_.SubCategoryName -eq "Audit Group Membership"} | select SubCategoryName,SettingValue
if($auditgroupmembership -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Group Membership' -Status "Setting is not Defined $($auditgroupmembership.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditgroupmembership is defined " -ForegroundColor Green
if($auditgroupmembership.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Group Membership' -Status "Setting is True $($auditgroupmembership.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Group Membership' -Status "Setting is not Defined $($auditgroupmembership.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditlogon
$auditlogon=Audit | where {$_.SubCategoryName -eq "Audit Logon"} | select SubCategoryName,SettingValue
if($auditlogon -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Logon' -Status "Setting is not Defined $($auditlogon.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditlogon is defined " -ForegroundColor Green
if($auditlogon.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Logon' -Status "Setting is True $($auditlogon.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Logon' -Status "Setting is not Defined $($auditlogon.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditotherlogon
$auditotherlogon=Audit | where {$_.SubCategoryName -eq "Audit Other Logon/Logoff Events"} | select SubCategoryName,SettingValue
if($auditotherlogon -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Logon/Logoff Events' -Status "Setting is not Defined $($auditotherlogon.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditotherlogon is defined " -ForegroundColor Green
if($auditotherlogon.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Logon/Logoff Events' -Status "Setting is True $($auditotherlogon.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Logon/Logoff Events' -Status "Setting is not Defined $($auditotherlogon.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditspeciallogon
$auditspeciallogon=Audit | where {$_.SubCategoryName -eq "Audit Special Logon"} | select SubCategoryName,SettingValue
if($auditspeciallogon -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Special Logon' -Status "Setting is not Defined $($auditspeciallogon.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditspeciallogon is defined " -ForegroundColor Green
if($auditspeciallogon.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Special Logon' -Status "Setting is True $($auditspeciallogon.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Special Logon' -Status "Setting is not Defined $($auditspeciallogon.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
##auditdetailedfileshare
$auditdetailedfileshare=Audit | where {$_.SubCategoryName -eq "Audit Detailed File Share"} | select SubCategoryName,SettingValue
if($auditdetailedfileshare -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Detailed File Share' -Status "Setting is not Defined $($auditdetailedfileshare.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditdetailedfileshare is defined " -ForegroundColor Green
if($auditdetailedfileshare.SettingValue -eq 2){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Detailed File Share' -Status "Setting is True $($auditdetailedfileshare.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Detailed File Share' -Status "Setting is not Defined $($auditdetailedfileshare.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditfileshare
$auditfileshare=Audit | where {$_.SubCategoryName -eq "Audit File Share"} | select SubCategoryName,SettingValue
if($auditfileshare -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit File Share' -Status "Setting is not Defined $($auditfileshare.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditfileshare is defined " -ForegroundColor Green
if($auditfileshare.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit File Share' -Status "Setting is True $($auditfileshare.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit File Share' -Status "Setting is not Defined $($auditfileshare.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditotherobjectaccess
$auditotherobjectaccess=Audit | where {$_.SubCategoryName -eq "Audit Other Object Access Events"} | select SubCategoryName,SettingValue
if($auditotherobjectaccess -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Object Access Events' -Status "Setting is not Defined $($auditotherobjectaccess.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditotherobjectaccess is defined " -ForegroundColor Green
if($auditotherobjectaccess.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Object Access Events' -Status "Setting is True $($auditotherobjectaccess.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Object Access Events' -Status "Setting is not Defined $($auditotherobjectaccess.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditremovablestorage
$auditremovablestorage=Audit | where {$_.SubCategoryName -eq "Audit Removable Storage"} | select SubCategoryName,SettingValue
if($auditremovablestorage -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Removable Storage' -Status "Setting is not Defined $($auditremovablestorage.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditremovablestorage is defined " -ForegroundColor Green
if($auditremovablestorage.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Removable Storage' -Status "Setting is True $($auditremovablestorage.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Removable Storage' -Status "Setting is not Defined $($auditremovablestorage.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditpolicychange
$auditpolicychange=Audit | where {$_.SubCategoryName -eq "Audit Audit Policy Change"} | select SubCategoryName,SettingValue
if($auditpolicychange -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Audit Policy Change' -Status "Setting is not Defined $($auditpolicychange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Succces ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditpolicychange is defined " -ForegroundColor Green
if($auditpolicychange.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Audit Policy Change' -Status "Setting is True $($auditpolicychange.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Audit Policy Change' -Status "Setting is not Defined $($auditpolicychange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Succces ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditauthpolicychange
$auditauthpolicychange=Audit | where {$_.SubCategoryName -eq "Audit Authentication Policy Change"} | select SubCategoryName,SettingValue
if($auditauthpolicychange -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Authentication Policy Change' -Status "Setting is not Defined $($auditauthpolicychange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Succces ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditauthpolicychange is defined " -ForegroundColor Green
if($auditauthpolicychange.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Authentication Policy Change' -Status "Setting is True $($auditauthpolicychange.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Authentication Policy Change' -Status "Setting is not Defined $($auditauthpolicychange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Succces ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditmpssvcrulepolicy
$auditmpssvcrulepolicy=Audit | where {$_.SubCategoryName -eq "Audit MPSSVC Rule-Level Policy Change"} | select SubCategoryName,SettingValue
if($auditmpssvcrulepolicy -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit MPSSVC Rule-Level Policy Change' -Status "Setting is not Defined $($auditmpssvcrulepolicy.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Succces and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditmpssvcrulepolicy is defined " -ForegroundColor Green
if($auditmpssvcrulepolicy.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit MPSSVC Rule-Level Policy Change' -Status "Setting is True $($auditmpssvcrulepolicy.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit MPSSVC Rule-Level Policy Change' -Status "Setting is not Defined $($auditmpssvcrulepolicy.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Succces and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditotherpolicychange
$auditotherpolicychange=Audit | where {$_.SubCategoryName -eq "Audit Other Policy Change Events"} | select SubCategoryName,SettingValue
if($auditotherpolicychange -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Policy Change Events' -Status "Setting is not Defined $($auditotherpolicychange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditotherpolicychange is defined " -ForegroundColor Green
if($auditotherpolicychange.SettingValue -eq 2){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Policy Change Events' -Status "Setting is True $($auditotherpolicychange.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other Policy Change Events' -Status "Setting is not Defined $($auditotherpolicychange.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditpriviligeuse
$auditpriviligeuse=Audit | where {$_.SubCategoryName -eq "Audit Sensitive Privilege Use"} | select SubCategoryName,SettingValue
if($auditpriviligeuse -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Sensitive Privilege Use' -Status "Setting is not Defined $($auditpriviligeuse.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditpriviligeuse is defined " -ForegroundColor Green
if($auditpriviligeuse.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Sensitive Privilege Use' -Status "Setting is True $($auditpriviligeuse.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Sensitive Privilege Use' -Status "Setting is not Defined $($auditpriviligeuse.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditothersystemevent
$auditothersystemevent=Audit | where {$_.SubCategoryName -eq "Audit Other System Events"} | select SubCategoryName,SettingValue
if($auditothersystemevent -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other System Events' -Status "Setting is not Defined $($auditothersystemevent.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditothersystemevent is defined " -ForegroundColor Green
if($auditothersystemevent.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other System Events' -Status "Setting is True $($auditothersystemevent.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Other System Events' -Status "Setting is not Defined $($auditothersystemevent.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditsecuritystate
$auditsecuritystate=Audit | where {$_.SubCategoryName -eq "Audit Security State Change"} | select SubCategoryName,SettingValue
if($auditsecuritystate -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security State Change' -Status "Setting is not Defined $($auditsecuritystate.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditsecuritystate is defined " -ForegroundColor Green
if($auditsecuritystate.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security State Change' -Status "Setting is True $($auditsecuritystate.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security State Change' -Status "Setting is not Defined $($auditsecuritystate.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditsecuritysystem
$auditsecuritysystem=Audit | where {$_.SubCategoryName -eq "Audit Security System Extension"} | select SubCategoryName,SettingValue
if($auditsecuritysystem -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security System Extension' -Status "Setting is not Defined $($auditsecuritysystem.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditsecuritysystem is defined " -ForegroundColor Green
if($auditsecuritysystem.SettingValue -eq 1){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security System Extension' -Status "Setting is True $($auditsecuritysystem.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit Security System Extension' -Status "Setting is not Defined $($auditsecuritysystem.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##auditsystemintegrity
$auditsystemintegrity=Audit | where {$_.SubCategoryName -eq "Audit System Integrity"} | select SubCategoryName,SettingValue
if($auditsystemintegrity -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit System Integrity' -Status "Setting is not Defined $($auditsystemintegrity.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "auditsystemintegrity is defined " -ForegroundColor Green
if($auditsystemintegrity.SettingValue -eq 3){
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit System Integrity' -Status "Setting is True $($auditsystemintegrity.SettingValue)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Audit System Integrity' -Status "Setting is not Defined $($auditsystemintegrity.SettingValue)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Success and Failure ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Administrator Account'
New-HTMLPanel -Invisible {
Write-Host "--------------Administrator User Checking-------------" -ForegroundColor Blue
$sid = (Get-ADDomain).domainsid
$sid500 = $sid.ToString() + "-500"
$administrator=Get-ADUser -Identity $sid500 -Properties * |select name,samaccountname,PasswordLastSet
$180days=(Get-Date).AddDays(-180)
$60days=(Get-Date).AddDays(-60)
if($administrator.samaccountname -eq "Administrator"){
New-HTMLStatus { New-HTMLStatusItem -Name 'SID-500 account not renamed' -Status "Account Must Be Renamed" -Icon bad -Percentage '0%'}
}
else{
Write-Host "SID-500 account renamed is true" -ForegroundColor Green
New-HTMLStatus { New-HTMLStatusItem -Name 'SID-500 account is renamed' -Status "Account Renamed" -Icon Good -Percentage '100%' }
}
if($administrator.PasswordLastSet -le $180days){
New-HTMLStatus { New-HTMLStatusItem -Name 'SID-500 account not password changed in 180 days' -Status "Must Change Password" -Icon bad -Percentage '0%'}
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'SID-500 account password changed in 180 days' -Status "Password Changed in 180 days" -Icon Good -Percentage '100%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Guest Account'
New-HTMLPanel -Invisible {
Write-Host "--------------Guest User Checking-------------" -ForegroundColor Blue
$sid501=$sid.ToString() + "-501"
$guest= Get-ADUser -Identity $sid501 |select name,samaccountname
if($guest.samaccountname -eq "Guest"){
New-HTMLStatus { New-HTMLStatusItem -Name 'SID-501 account not renamed' -Status "Account Must Be Renamed" -Icon bad -Percentage '0%'}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'SID-500 account is renamed' -Status "Account Renamed" -Icon Good -Percentage '100%' }
}}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'KRBTGT Account'
New-HTMLPanel -Invisible {
Write-Host "--------------KRBTGT Checking-------------" -ForegroundColor Blue
$krbtgt=Get-ADUser -Identity "krbtgt" -Properties * | select name,samaccountname,passwordlastset
if($krbtgt.PasswordLastSet -le $180days){
New-HTMLStatus { New-HTMLStatusItem -Name 'krbtgt account not password changed in 180 days' -Status "Must Change Password" -Icon bad -Percentage '0%'}
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'krbtgt account password changed in 180 days' -Status "Password Changed in 180 days" -Icon Good -Percentage '100%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Guest Account'
New-HTMLPanel -Invisible {
Write-Host "--------------SMBV1 Checking-------------" -ForegroundColor Blue
$smb1control=Get-SmbServerConfiguration |select EnableSMB1Protocol
if($smb1control.EnableSMB1Protocol -eq $false){
New-HTMLStatus { New-HTMLStatusItem -Name 'SMBV1' -Status "Closed" -Icon Good -Percentage '100%'}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'SMBV1' -Status "Open" -Icon Bad -Percentage '0%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Update'
New-HTMLPanel -Invisible {
Write-Host "--------------Update Checking-------------" -ForegroundColor Blue
$updatedate=Get-HotFix | Sort-Object InstalledOn -Descending | select Description,HotFixID,InstalledOn -First 1
if($updatedate.InstalledOn -le $60days){
New-HTMLStatus { New-HTMLStatusItem -Name 'Update' -Status "No Update in 60 days$($updatedate.InstalledOn)" -Icon bad -Percentage '0%'}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Update' -Status "Up to-Date" -Icon Good -Percentage '100%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Boot Time'
New-HTMLPanel -Invisible {
Write-Host "--------------Last Boot Time Checking-------------" -ForegroundColor Blue
$lastboottime=Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime
if($lastboottime.lastbootuptime -le $180days){
New-HTMLStatus { New-HTMLStatusItem -Name 'Boot Time' -Status "No boot Time more than 180 $($lastboottime.lastbootuptime)" -Icon bad -Percentage '0%'}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Boot Time' -Status "$($lastboottime.lastbootuptime)" -Icon Good -Percentage '100%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Users'
New-HTMLPanel -Invisible {
Write-Host "--------------Users Checking-------------" -ForegroundColor Blue
$alluser=Get-ADUser -Filter * -Properties * | select Name,SamaccountName,Surname,DisplayName,EmailAddress,Enabled,LastLogonDate,LockedOut,PasswordExpired,PasswordLastSet,PasswordNeverExpires,PasswordNotRequired,WhenCreated,WhenChanged
$enableuser=Get-ADUser -Filter {enabled -eq $true} | select Name,SamaccountName,SID
$disableuser=Get-ADUser -Filter {enabled -eq $false} | select Name,SamaccountName,SID
$inactiveuser=Get-ADUser -Filter {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} | select Name,SamaccountName,SID
$admincount=Get-ADUser -Filter {admincount -eq 1} | select Name,SamaccountName,SID
$passwordneverexpire=Get-ADUser -Filter {PasswordNeverExpires -eq $true} | select Name,SamaccountName,SID
$passwordnotrequired= Get-ADUser -Filter {passwordnotrequired -eq $true} | select Name,SamaccountName,SID
$admincount1groups=Get-ADGroup –LDAPFilter “(admincount=1)” | Select-Object Name
##disableusercheck
$percentdisableuser=($disableuser.count/$alluser.count).ToString("P")
if($percentdisableuser -ge "10"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Disable User' -Status " $($percentdisableuser)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($disableuser.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Disable User ' -Status " $($percentdisableuser)" -Icon Good -Percentage '100%' }
}
##inactiveuser check
$percentinactiveuser=($inactiveuser.count/$alluser.count).ToString("P")
if($percentinactiveuser -ge "10"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Inactive User' -Status "$($percentinactiveuser)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($inactiveuser.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Inactive User ' -Status "$($percentinactiveuser)" -Icon Good -Percentage '100%' }
}
##passwordneverexpire
if(($passwordneverexpire.samaccountname).Count -ge "2"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Never Expire Users' -Status " $(($passwordneverexpire.samaccountname).Count)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($passwordneverexpire.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Never Expire Users ' -Status "0" -Icon Good -Percentage '100%' }
}
##passwordnotrequired
if(($passwordnotrequired.samaccountname).Count -ge "0"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Not Required' -Status " $(($passwordnotrequired.samaccountname).Count)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($passwordnotrequired.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Password Not Required' -Status "0" -Icon Good -Percentage '100%' }
}
}}
Write-Host "--------------Admin Count Checking-------------" -ForegroundColor Blue
##admincountchecking###
$UsersInAdminGroups = (Get-ADGroup -LDAPFilter '(adminCount=1)') |
ForEach-Object {
# Get all users from all admin groups recursively
Get-ADGroupMember $_ -Recursive | Where-Object {$_.ObjectClass -eq 'User'}
} | Sort-Object distinguishedname | Select-Object -Unique
$admincountuser=Get-ADUser -LDAPFilter '(adminCount=1)' |select Samaccountname
ForEach($admincountuser in $admincountuser.samaccountname){
if(($admincountuser -notin $UsersInAdminGroups.samaccountname)-and ($admincountuser -ne "krbtgt")){
Write-Host "Not admin", $admincountuser -ForegroundColor Red}
else{
Write-Host "Still admin User", $admincountuser -ForegroundColor Green
}
}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Admin Mail'
New-HTMLPanel -Invisible {
Write-Host "--------------Admin Mail Checking-------------" -ForegroundColor Blue
##emptymail
$adminusernotemptymail= Get-ADUser -LDAPFilter '(&((mail=*))(adminCount=1))' | select name,samaccountname
if($adminusernotemptymail.samaccountname){
New-HTMLStatus { New-HTMLStatusItem -Name 'Admin Mail is not Empty' -Status "$(($adminusernotemptymail.samaccountname).count)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($adminusernotemptymail.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Groups'
New-HTMLPanel -Invisible {
Write-Host "--------------Groups Checking-------------" -ForegroundColor Blue
$domainadmins=Get-ADGroupMember -Identity "Domain Admins" -Recursive |select name,samaccountname
$enterpriseadmins=Get-ADGroupMember -Identity "Enterprise Admins" -Recursive |select name,samaccountname
$schemaadmins=Get-ADGroupMember -Identity "Schema Admins" -Recursive |select name,samaccountname
$administrators=Get-ADGroupMember -Identity "Administrators" -Recursive |select name,samaccountname
$backupoperators=Get-ADGroupMember -Identity "Backup Operators" -Recursive |select name,samaccountname
$printoperators=Get-ADGroupMember -Identity "Print Operators" -Recursive |select name,samaccountname
$serveroperators=Get-ADGroupMember -Identity "Server Operators" -Recursive |select name,samaccountname
$gpocreator=Get-ADGroupMember -Identity "Group Policy Creator Owners" -Recursive |select name,samaccountname
$enterprisekeyadmins=Get-ADGroupMember -Identity "Enterprise Key Admins" -Recursive |select name,samaccountname
$protectedusers=Get-ADGroupMember -Identity "Protected Users" -Recursive |select name,samaccountname
$emptygroup=Get-ADGroup -LDAPFilter "(!(member=*))" | select Name
$totalgroup=Get-ADGroup -Filter *
##emptygroup checking
$Admins = @(
[PSCustomObject] @{
Groups = "Domain Admins"
Count=($domainadmins.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Enterprise Admins"
Count=($enterpriseadmins.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Administrators"
Count=($administrators.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Schema Admins"
Count=($schemaadmins.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Backup Operators"
Count=($backupoperators.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Print Operators"
Count=($printoperators.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Server Operators "
Count=($serveroperators.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Gpo Creator"
Count=($gpocreator.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Enterprise Key Admins"
Count=($enterprisekeyadmins.samaccountname).Count
}
[PSCustomObject] @{
Groups = "Empty Group"
Count=($emptygroup.name).Count
}
)
New-HTMLTable -DataTable $Admins -HideFooter -DisableInfo -HideButtons -DisableSearch {
New-TableCondition -Name 'Count' -ComparisonType number -Operator gt -Value 1 -BackgroundColor Red -FailBackgroundColor Green
}
if(($domainadmins.samaccountname).Count -gt 3) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Admins' -Status "More than 3 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($domainadmins.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Admins' -Status "Lower Than 3 User" -Icon Good -Percentage '100%' }
}
if(($enterpriseadmins.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Enterprise Admins' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($enterpriseadmins.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Enterprise Admins' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($schemaadmins.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Schema Admins' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($schemaadmins.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Schema Admins' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($administrators.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Administrators' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($administrators.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Administrators' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($backupoperators.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Backup Operators' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($backupoperators.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Backup Operators' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($printoperators.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Print Operators' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($printoperators.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Print Operators' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($serveroperators.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name 'Server Operators' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($serveroperators.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Server Operators' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($gpocreator.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name ' Gpo Creator ' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($gpocreator.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Gpo Creator' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($enterprisekeyadmins.samaccountname).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name ' Enterprise Key Admins ' -Status "More than 1 Admins" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($enterprisekeyadmins.samaccountname) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Enterprise Key Admins' -Status "Lower Than 1 User" -Icon Good -Percentage '100%' }
}
if(($emptygroup.name).Count -gt 1) {
New-HTMLStatus { New-HTMLStatusItem -Name ' Empty Group ' -Status "More than 1 Empty Groups" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($emptygroup.name) " -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Empty Group' -Status "Lower Than 1 Empty Groups" -Icon Good -Percentage '100%' }
}
$protectedusersdisting=(Get-ADGroup "Protected Users").distinguishedname
$adminusersforprotected=Get-ADUser -LDAPFilter '(adminCount=1)' -Properties samaccountname,memberof |Where-Object {($_.MemberOf -contains $protectedusersdisting)} | Select-Object Samaccountname
$admincount1user=(Get-ADUser -LDAPFilter '(adminCount=1)').count
$adminusersfornotprotected=Get-ADUser -LDAPFilter '(adminCount=1)' -Properties samaccountname,memberof |Where-Object {($_.MemberOf -notcontains $protectedusersdisting)} | Select-Object Samaccountname
if(($adminusersforprotected.samaccountname).count -eq $admincount1user ){
New-HTMLStatus { New-HTMLStatusItem -Name 'Admins in Protected Users' -Status "All Admins in Protected Users" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Admins in Protected Users' -Status "Not All Admins in Protected User" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($adminusersfornotprotected.samaccountname)" -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Firewall Status'
New-HTMLPanel -Invisible {
Write-Host "----------Firewall is checking------------------"
$publicfirewall=Get-NetFirewallProfile |where {$_.Name -like "Public" }|select name,Enabled,DefaultInboundAction,DefaultOutboundAction
if($publicfirewall.enabled -eq $true){
New-HTMLStatus { New-HTMLStatusItem -Name 'Public Firewall' -Status "Enabled" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Public Firewall' -Status "Disabled" -Icon Bad -Percentage '0%' }
}
if($publicfirewall.DefaultInboundAction -eq "Block"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Public Firewall Inbound' -Status "Blocked" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Public Firewall Inbound' -Status "Allowed" -Icon Bad -Percentage '0%' }
}
if($publicfirewall.DefaultOutboundAction -eq "Allow"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Public Firewall Outbound' -Status "Allowed" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Public Firewall Outbound' -Status "Blocked" -Icon Bad -Percentage '0%' }
}
$privatefirewall=Get-NetFirewallProfile |where {$_.Name -like "Private" }|select name,Enabled,DefaultInboundAction,DefaultOutboundAction
if($Privatefirewall.enabled -eq $true){
New-HTMLStatus { New-HTMLStatusItem -Name 'Private Firewall' -Status "Enabled" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Private Firewall' -Status "Disabled" -Icon Bad -Percentage '0%' }
}
if($Privatefirewall.DefaultInboundAction -eq "Block"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Private Firewall Inbound' -Status "Blocked" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Private Firewall Inbound' -Status "Allowed" -Icon Bad -Percentage '0%' }
}
if($Privatefirewall.DefaultOutboundAction -eq "Allow"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Private Firewall Outbound' -Status "Allowed" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Private Firewall Outbound' -Status "Blocked" -Icon Bad -Percentage '0%' }
}
$Domainfirewall=Get-NetFirewallProfile |where {$_.Name -like "Domain" }|select name,Enabled,DefaultInboundAction,DefaultOutboundAction
if($Domainfirewall.enabled -eq $true){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Firewall' -Status "Enabled" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Firewall' -Status "Disabled" -Icon Bad -Percentage '0%' }
}
if($Domainfirewall.DefaultInboundAction -eq "Block"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Firewall Inbound' -Status "Blocked" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Firewall Inbound' -Status "Allowed" -Icon Bad -Percentage '0%' }
}
if($Domainfirewall.DefaultOutboundAction -eq "Allow"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Firewall Outbound' -Status "Allowed" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Firewall Outbound' -Status "Blocked" -Icon Bad -Percentage '0%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Domain Controllers and AD'
New-HTMLPanel -Invisible {
write-host "-------------------AD CHecking-------------"
$domains = (Get-ADForest).Domains
$domainControllers = (($domains | foreach { Get-ADDomainController -Server $_ -Filter * }).HostName).count
$recyclebin=(Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"' -Properties *).EnabledScopes
$domainmode=Get-ADDomain | Select-Object DomainMode
$forestmode=get-adforest | Select-Object ForestMode
if($domainControllers -eq "1"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Controllers Count' -Status "Only 1 Domain Controllers" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Add Another Domain Controller Server for High Avability and Disaster Recovery ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Controllers Count' -Status "Enough,You have $($domainControllers) Domain Controllers" -Icon Good -Percentage '100%' }
}
if($recyclebin ){
New-HTMLStatus { New-HTMLStatusItem -Name 'Recyle Bin' -Status "Enabled" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Recyle Bin' -Status "Disable" -Icon bad -Percentage '0%'}
}
if($domainmode.DomainMode -eq "Windows2016Domain"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Mode' -Status "Latest $($domainmode.DomainMode)" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Domain Mode' -Status "Upgrade Domain Mode" -Icon bad -Percentage '0%'}
}
if($forestmode.ForestMode -eq "Windows2016Forest"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Forest Mode' -Status "Latest$($forestmode.ForestMode)" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Forest Mode' -Status "Upgrade Domain Mode" -Icon bad -Percentage '0%'}
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Spooler Service'
New-HTMLPanel -Invisible {
write-host "----Print Service checking---"
$spoolerservice=Get-Service -Name Spooler | select Status
if($spoolerservice.Status -eq "Running") {
New-HTMLStatus { New-HTMLStatusItem -Name 'Spooler Service' -Status "Running" -Icon bad -Percentage '0%'}
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Spooler Service' -Status "Stopped or Disabled" -Icon Good -Percentage '100%' }
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Unlinked Gpo Status'
New-HTMLPanel -Invisible {
write-host "-------------------GPO Checking-------------"
$unlinkedgpo=Get-GPO -All |Where-Object { $_ | Get-GPOReport -ReportType XML| Select-String -NotMatch "<LinksTo>"} | select DisplayName
if($unlinkedgpo.Count -eq 0 ){
New-HTMLStatus { New-HTMLStatusItem -Name 'Unlinked Gpo' -Status "No Unlinked Gpo" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Unlinked Gpo' -Status "There are $($unlinkedgpo.Count)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text "$($unlinkedgpo.displayname)" -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Fine Grained Password Policy'
New-HTMLPanel -Invisible {
write-host "Fine Grained Policy----------------"
$finegrainedpolicy=Get-ADFineGrainedPasswordPolicy -Filter * | select Name
if($finegrainedpolicy){
New-HTMLStatus { New-HTMLStatusItem -Name 'Fine Grained Policy' -Status "There is" -Icon Good -Percentage '100%' }
}
else {
New-HTMLStatus { New-HTMLStatusItem -Name 'Fine Grained Policy' -Status "You Need Password Policy For Admins" -Icon bad -Percentage '0%'}
}
}}
New-HTMLContainer {
New-HTMLHeading -Heading h1 -HeadingText 'Templates'
New-HTMLPanel -Invisible {
##preventlockcamera
$preventlockcamera=computerpolicy | where {$_.Name -eq "Prevent enabling lock screen camera"} | select Name,State,dropdownlistvaluename -First 1
if($preventlockcamera -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Prevent enabling lock screen camera' -Status "Setting is not Defined $($preventlockcamera.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "preventlockcamera is defined " -ForegroundColor Green
if($preventlockcamera.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Prevent enabling lock screen camera' -Status "Setting is $($preventlockcamera.state)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Prevent enabling lock screen camera' -Status "Setting is not Defined $($preventlockcamera.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##preventlockslide
$preventlockslide=computerpolicy | where {$_.Name -eq "Prevent enabling lock screen slide show"} | select Name,State,dropdownlistvaluename -First 1
if($preventlockslide -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Prevent enabling lock screen slide show' -Status "Setting is not Defined $($preventlockslide.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "preventlockslide is defined " -ForegroundColor Green
if($preventlockslide.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Prevent enabling lock screen slide show' -Status "Setting is $($preventlockslide.state)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Prevent enabling lock screen slide show' -Status "Setting is not Defined $($preventlockslide.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##donotallowpasswordsaved
$donotallowpasswordsaved=computerpolicy | where {$_.Name -eq "Do not allow passwords to be saved"} | select Name,State,dropdownlistvaluename -First 1
if($donotallowpasswordsaved -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Do not allow passwords to be saved' -Status "Setting is not Defined $($donotallowpasswordsaved.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "donotallowpasswordsaved is defined " -ForegroundColor Green
if($donotallowpasswordsaved.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Do not allow passwords to be saved' -Status "Setting is $($donotallowpasswordsaved.state)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Do not allow passwords to be saved' -Status "Setting is not Defined $($donotallowpasswordsaved.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##alwayspromptpassword
$alwayspromptpassword=computerpolicy | where {$_.Name -eq "Always prompt for password upon connection"} | select Name,State,dropdownlistvaluename -First 1
if($alwayspromptpassword -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Always prompt for password upon connection' -Status "Setting is not Defined $($alwayspromptpassword.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "alwayspromptpassword is defined " -ForegroundColor Green
if($alwayspromptpassword.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Always prompt for password upon connection' -Status "Setting is $($alwayspromptpassword.state)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Always prompt for password upon connection' -Status "Setting is not Defined $($alwayspromptpassword.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##rpccommunication
$rpccommunication=computerpolicy | where {$_.Name -eq "Require secure RPC communication"} | select Name,State,dropdownlistvaluename -First 1
if($rpccommunication -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Require secure RPC communication' -Status "Setting is not Defined $($rpccommunication.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "rpccommunication is defined " -ForegroundColor Green
if($rpccommunication.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Require secure RPC communication' -Status "Setting is $($rpccommunication.state)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Require secure RPC communication' -Status "Setting is not Defined $($rpccommunication.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##clientencryptionlevel
$clientencryptionlevel=computerpolicy | where {$_.Name -eq "Set client connection encryption level"} | select Name,State,dropdownlistvaluename -First 1
if($clientencryptionlevel -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Set client connection encryption level' -Status "Setting is not Defined $($clientencryptionlevel.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "clientencryptionlevel is defined " -ForegroundColor Green
if($clientencryptionlevel.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Set client connection encryption level' -Status "Setting is $($clientencryptionlevel.State)" -Icon Good -Percentage '100%' }
if($clientencryptionlevel.dropdownlistvaluename -eq "High Level"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Set client connection encryption level High' -Status "Setting is $($clientencryptionlevel.dropdownlistvaluename)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Set client connection encryption level' -Status "Setting is False $($clientencryptionlevel.dropdownlistvaluename)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be High Level ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Set client connection encryption level' -Status "Setting is not Defined $($clientencryptionlevel.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##smartscreen
$smartscreen=computerpolicy | where {$_.Name -eq "Configure Windows Defender SmartScreen"} | select Name,State,dropdownlistvaluename -First 1
if($smartscreen -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Configure Windows Defender SmartScreen' -Status "Setting is not Defined $($smartscreen.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "smartscreen is defined " -ForegroundColor Green
if($smartscreen.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Configure Windows Defender SmartScreen' -Status "Setting is $($smartscreen.State)" -Icon Good -Percentage '100%' }
if($smartscreen.dropdownlistvaluename -eq "Warn and prevent bypass"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Configure Windows Defender SmartScreen Level' -Status "Setting is $($smartscreen.dropdownlistvaluename)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Configure Windows Defender SmartScreen Level' -Status "Setting is False $($smartscreen.dropdownlistvaluename)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Warn and prevent bypass ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Configure Windows Defender SmartScreen' -Status "Setting is not Defined $($smartscreen.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##turnofautoplay
$turnofautoplay=computerpolicy | where {$_.Name -eq "Turn off Autoplay"} | select Name,State,dropdownlistvaluename -First 1
if($turnofautoplay -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Turn off Autoplay' -Status "Setting is not Defined $($turnofautoplay.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "turnofautoplay is defined " -ForegroundColor Green
if($turnofautoplay.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Turn off Autoplay ' -Status "Setting is $($turnofautoplay.State)" -Icon Good -Percentage '100%' }
if($turnofautoplay.dropdownlistvaluename -eq "All drives"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Turn off Autoplay Settings' -Status "Setting is $($turnofautoplay.dropdownlistvaluename)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Turn off Autoplay Settings' -Status "Setting is False $($turnofautoplay.dropdownlistvaluename)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be All drives ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Turn off Autoplay' -Status "Setting is not Defined $($turnofautoplay.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##autorunbehavior
$autorunbehavior=computerpolicy | where {$_.Name -eq "Set the default behavior for AutoRun"} | select Name,State,dropdownlistvaluename -First 1
if($autorunbehavior -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Set the default behavior for AutoRun' -Status "Setting is not Defined $($autorunbehavior.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "autorunbehavior is defined " -ForegroundColor Green
if($autorunbehavior.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Set the default behavior for AutoRun ' -Status "Setting is $($autorunbehavior.State)" -Icon Good -Percentage '100%' }
if($autorunbehavior.dropdownlistvaluename -eq "Do not execute any autorun commands"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Set the default behavior for AutoRun' -Status "Setting is $($autorunbehavior.dropdownlistvaluename)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Set the default behavior for AutoRun' -Status "Setting is False $($autorunbehavior.dropdownlistvaluename)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Do not execute any autorun commands ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Set the default behavior for AutoRuny' -Status "Setting is not Defined $($autorunbehavior.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##hardenedunc
$hardenedunc=computerpolicy | where {$_.Name -eq "Hardened UNC Paths"} | select Name,State,listbox,listboxname -First 1
if($hardenedunc -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Hardened UNC Paths' -Status "Setting is not Defined $($hardenedunc.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "hardenedunc is defined " -ForegroundColor Green
if($hardenedunc.state -eq "Enabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Hardened UNC Paths ' -Status "Setting is $($hardenedunc.State)" -Icon Good -Percentage '100%' }
if($hardenedunc.listboxname -eq '\\*\SYSVOL'){
New-HTMLStatus { New-HTMLStatusItem -Name 'SYSVOL Hardening Exist' -Status "Setting is $($hardenedunc.listboxname)" -Icon Good -Percentage '100%' }
if($hardenedunc.listbox -eq "RequireMutualAuthentication=1,RequireIntegrity=1"){
New-HTMLStatus { New-HTMLStatusItem -Name 'SYSVOL Hardening Require' -Status "Setting is $($hardenedunc.listbox)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'SYSVOL Hardening Require' -Status "Setting is False $($hardenedunc.listbox)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be RequireMutualAuthentication=1,RequireIntegrity=1 ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'SYSVOL Hardening Exist' -Status "Setting is False $($hardenedunc.listboxname)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be SYSVOL Hardening ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Hardened UNC Paths' -Status "Setting is not Defined $($hardenedunc.State)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
##insecurelogon
$insecurelogon=computerpolicy | where {$_.Name -eq "Enable insecure guest logons"} | select Name,State,dropdownlistvaluename -First 1
if($insecurelogon -eq $null){
New-HTMLStatus { New-HTMLStatusItem -Name 'Enable insecure guest logons' -Status "Setting is not Defined $($insecurelogon.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}
else {
Write-Host "rpccommunication is defined " -ForegroundColor Green
if($insecurelogon.state -eq "Disabled"){
New-HTMLStatus { New-HTMLStatusItem -Name 'Enable insecure guest logons' -Status "Setting is $($insecurelogon.state)" -Icon Good -Percentage '100%' }
}
else{
New-HTMLStatus { New-HTMLStatusItem -Name 'Enable insecure guest logons' -Status "Setting is not Defined $($insecurelogon.state)" -Icon bad -Percentage '0%'}
New-HTMLToast -TextHeader 'Information' -Text 'Must Be Enabled ' -BarColorLeft Red -IconSolid info-circle -IconColor Red
}}
}}
}-FilePath c:\adresult.html -ShowHTML
Diğer AD Security Checklist yazımı aşağıdaki linkten kontrol edebilirsiniz.