Public Pastes
SHARE
TWEET

Untitled

a guest Dec 3rd, 2019 97 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ####################### CREDENTIAL CACHING #######################
  2.  
  3. This script is unable to check Number of Previous Logons to cache, this is because the setting is in the security registry hive, please check the GPO located at Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon
  4. Do not allow storage of passwords and credentials for network authentication is disabled
  5. WDigest is not configured
  6. Virtualisation Based security is enabled
  7. Secure Boot and DMA Protection is enabled
  8. Virtualisation Based Protection of Code Integrity with UEFI lock is enabled
  9.  
  10. ####################### CONTROLLED FOLDER ACCESS #######################
  11.  
  12. Controlled Folder Access for Exploit Guard is not configured
  13.  
  14. ####################### CREDENTIAL ENTRY #######################
  15.  
  16. Do not display network selection UI is enabled
  17. Enumerate local users on domain joined computers is enabled
  18. Do not display the password reveal button is enabled
  19. Enumerate administrator accounts on elevation is disabled
  20. Require trusted path for credential entry is not configured
  21. Disable or enable software Secure Attention Sequence is not configured or disabled
  22. Sign-in last interactive user automatically after a system-initiated restart is disabled
  23. Interactive logon: Do not require CTRL+ALT+DEL is disabled
  24. Interactive logon: Don't display username at sign-in is disabled
  25.  
  26. ####################### EARLY LAUNCH ANTI MALWARE #######################
  27.  
  28. ELAM Boot-Start Driver Initialization Policy is enabled, but set to Good, Unknown, Bad but critical
  29.  
  30. ####################### ELEVATING PRIVILEGES #######################
  31.  
  32. Admin Approval Mode for the Built-in Administrator account is not configured
  33. Allow UIAccess applications to prompt for elevation without using the secure desktop is disabled
  34. Behavior of the elevation prompt for administrators in Admin Approval Mode is configured, but set to Prompt for consent for non-Windows binaries
  35. Behavior of the elevation prompt for standard users is configured, but set to Prompt for credentials
  36. Detect application installations and prompt for elevation is enabled
  37. Only elevate UIAccess applications that are installed in secure locations is enabled
  38. Run all administrators in Admin Approval Mode is enabled
  39. Switch to the secure desktop when prompting for elevation is enabled
  40. Virtualize file and registry write failures to per-user locations is enabled
  41.  
  42. ####################### EXPLOIT PROTECTION #######################
  43.  
  44. Prevent users from modifying settings is enabled
  45. Turn off Data Execution Prevention for Explorer is disabled
  46. Enabled Structured Exception Handling Overwrite Protection (SEHOP) is enabled
  47.  
  48. ####################### LOCAL ADMINISTRATOR ACCOUNTS #######################
  49.  
  50. Apply UAC restrictions to local accounts on network logons is not configured
  51.  
  52. ####################### MICROSOFT EDGE #######################
  53.  
  54. Flash Player is Not Configured
  55. Edge Developer Tools are Not Configured
  56. Edge Do Not Track is Not Configured
  57. Edge Password Manager is Not Configured
  58. Edge Pop-up Blocker is Not Configured
  59. Configure Windows Defender SmartScreen is disabled
  60. Prevent access to the about:flags page in Microsoft Edge is not configured
  61. Prevent bypassing Windows Defender SmartScreen prompts for sites is enabled in Local Machine GP
  62. Prevent users and apps from accessing dangerous websites is enabled
  63. Turn on Windows Defender Application Guard in Enterprise Mode is not configured
  64. Configure Windows Defender SmartScreen is enabled in Local Machine GP
  65. Prevent bypassing Windows Defender SmartScreen prompts for sites is enabled in Local Machine GP
  66.  
  67. ####################### MULTI-FACTOR AUTHENTICATION #######################
  68.  
  69. There are no controls in this section that can be checked by a PowerShell script, this control requires manual auditing
  70.  
  71. ####################### OPERATING SYSTEM ARCHITECTURE #######################
  72.  
  73. Operating System Architecture is 64-Bit
  74.  
  75. ####################### OPERATING SYSTEM PATCHING #######################
  76.  
  77. Allow Automatic Updates immediate installation is not configured
  78. Configure Automatic Updates is enabled
  79. Do not include drivers with Windows Updates is not configured
  80. No auto-restart with logged on users for scheduled automatic updates installations is not configured
  81. Remove access to use all Windows Update features is not configured
  82. Turn on recommended updates via Automatic Updates is not configured
  83. Specify intranet Microsoft update service location is not configured
  84.  
  85. ####################### PASSWORD POLICY #######################
  86.  
  87. Turn off picture password sign-in is enabled
  88. Turn on convenience PIN sign-in is disabled
  89. Enforce Password History is set to None which is a compliant setting
  90. Maximum password age is set to Unlimited which is a non-compliant setting
  91. Minimum password age is set to 0 which is a compliant setting
  92. Minimum password length is set to 0 which is a non-compliant setting
  93. Store passwords using reversible encryption is unable to be checked using PowerShell, as the setting is not a registry key. Please check Computer Configuration\Policies\Administrative Templates\System\Logon
  94. Limit local account use of blank passwords to console logon only is enabled
  95.  
  96. ####################### RESTRICTING PRIVILEGED ACCOUNTS #######################
  97.  
  98. There are no controls in this section that can be checked by a PowerShell script, this control requires manual auditing
  99.  
  100. ####################### SECURE BOOT #######################
  101.  
  102. Secure Boot status was unable to be determined
  103.  
  104. ####################### ACCOUNT LOCKOUT POLICIES #######################
  105.  
  106. Account Lockout Duration is set to 30 which is a non-compliant setting
  107. Account Lockout Threshold is set to Never which is a non-compliant setting
  108. Account Lockout Threshold is set to 30 minutes which is a compliant setting
  109.  
  110. ####################### ANONYMOUS CONNECTIONS #######################
  111.  
  112. Enable insecure guest logons is disabled
  113. Allow anonymous SID/Name translation is disabled
  114. Network access: Do not allow anonymous enumeration of SAM accounts is enabled
  115. Network access: Do not allow anonymous enumeration of SAM accounts and shares is disabled
  116. Network access: Let Everyone permissions apply to anonymous users is disabled
  117. Network access: Restrict anonymous access to Named Pipes and Shares is enabled
  118. Network access: Do not allow anonymous enumeration of SAM accounts and shares is not configured
  119. Network security: Allow Local System to use computer identity for NTLM is not configured
  120. Network security: Allow LocalSystem NULL session fallback is not configured
  121. Access this computer from the network is unable to be checked using PowerShell, as the setting is not a registry key. Please check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\. ASD Recommendation is to only have 'Administrators & Remote Desktop Users' present
  122. Deny Access to this computer from the network is unable to be checked using PowerShell, as the setting is not a registry key. Please check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\. ASD Recommendation is to only have 'Guests & NT AUTHORITY\Local Account' present
  123.  
  124. ####################### ANTI-VIRUS SOFTWARE #######################
  125.  
  126. Turn off Windows Defender Antivirus is disabled
  127. Configure local setting override for reporting to Microsoft Active Protection Service (MAPS). is not configured
  128. Configure the 'Block at First Sight' feature is not configured
  129. Join Microsoft Active Protection Service (MAPS). is not configured
  130. Send file samples when further analysis is required is not configured
  131. Configure extended cloud check is not configured
  132. Select cloud protection level is not configured
  133. Configure local setting override for scanning all downloaded files and attachments is not configured
  134. Turn off real-time protection is not configured
  135. Turn on behavior monitoring is not configured
  136. Turn on process scanning whenever real-time protection is enabled is not configured
  137. Configure removal of items from Quarantine folder is not configured
  138. Allow users to pause scan is not configured
  139. Check for the latest virus and spyware definitions before running a scheduled scan is not configured
  140. Scan archive files is not configured
  141. Scan packed executables is not configured
  142. Scan removable drives is not configured
  143. Turn on e-mail scanning is not configured
  144. Turn on heuristics is not configured
  145.  
  146. ####################### ATTACHMENT MANAGER #######################
  147.  
  148. Do not preserve zone information in file attachments is not configured
  149. Hide mechanisms to remove zone information is not configured
  150.  
  151. ####################### AUDIT EVENT MANAGEMENT #######################
  152.  
  153. Include command line in process creation events is disabled
  154. Specify the maximum log file size (KB) for the Application Log is set to 32769 which is a lower value than 65536 required for compliance
  155. Specify the maximum log file size (KB) for the Security Log is set to 196609 which is a higher value than 65536 required for compliance
  156. Specify the maximum log file size (KB) for the System Log is set to 32769 which is a lower value than 65536 required for compliance
  157. Specify the maximum log file size (KB) for the Setup Log is set to 32769 which is a lower value than 65536 required for compliance
  158. Manage Auditing and Security Log is unable to be checked using PowerShell, as the setting is not a registry key. Please check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. ASD Recommendation is to only have 'Administrators' present
  159. Audit Credential Validation is unable to be checked using PowerShell, as the setting is not a registry key. Please check Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon. ASD Recommendation is to have 'Success and Failure' Present
  160. Audit Computer Account Management is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  161. Audit Other Account Management Events is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  162. Audit Security Group Management is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  163. Audit User Account Management is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  164. Audit PNP Activity is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  165. Audit Process Creation is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  166. Audit Process Termination is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  167. Audit Account Lockout is unable to be checked using PowerShell, as the setting is not a registry key. Please check. ASD Recommendation is to have 'Success and Failure' Present
  168. Audit Group Membership is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  169. Audit Logoff is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  170. Audit Logon is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  171. Audit Other Logon/Logoff Events is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  172. Audit Audit Special Logon is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  173. Audit File Share is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  174. Audit Kernel Object is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  175. Audit Other Object Access Events is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  176. Audit Removable Storage is unable to be checked using PowerShell, as the setting is not a registry key ASD Recommendation is to have 'Success and Failure' Present
  177. Audit Audit Policy Change is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  178. Audit Authentication Policy Change is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  179. Audit Authorization Policy Change is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  180. Audit Sensitive Privilege Use is unable to be checked using PowerShell, as the setting is not a registry key. Please check Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use. ASD Recommendation is to have 'Success and Failure' Present
  181. Audit IPsec Driver is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  182. Audit Other System Events is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  183. Audit Security State Change is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success' Present
  184. Audit Security System Extension is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  185. Audit System Integrity is unable to be checked using PowerShell, as the setting is not a registry key. ASD Recommendation is to have 'Success and Failure' Present
  186. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings is not configured
  187.  
  188. ####################### AUTOPLAY AND AUTORUN #######################
  189.  
  190. Disallow Autoplay for non-volume devices is enabled in Local Machine GP
  191. Set the default behavior for AutoRun is enabled in Local Machine GP
  192. Turn off Autoplay is enabled in Local Machine GP
  193.  
  194. ####################### BIOS AND UEFI PASSWORDS #######################
  195.  
  196. Unable to confirm that a BIOS password is set via PowerShell. Please manually check if a BIOS password is set (if applicable)
  197.  
  198. ####################### BOOT DEVICES #######################
  199.  
  200. Unable to confirm the BIOS device boot order. Please manually check to ensure that the hard disk of this device is the primary boot device and the machine is unable to be booted off removable media (if applicable)
  201.  
  202. ####################### BRIDGING NETWORKS #######################
  203.  
  204. Prohibit installation and configuration of Network Bridge on your DNS domain network is enabled
  205. Route all traffic through the internal network is not configured
  206. Prohibit connection to non-domain networks when connected to domain authenticated network is enabled
  207.  
  208. ####################### BUILT-IN GUEST ACCOUNTS #######################
  209.  
  210. The local guest account is disabled
  211. Deny Logon Locally is unable to be checked realiably using PowerShell. Please check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. ASD Recommendation is to have 'Guests' present.
  212.  
  213. ####################### CASE LOCKS #######################
  214.  
  215. Unable to check if this computer has a physical case lock with a PowerShell script! Ensure the physical workstation is secured to prevent tampering, such as adding / removing hardware or removing CMOS battery.
  216.  
  217. ####################### CD BURNER ACCESS #######################
  218.  
  219. Remove CD Burning features is not configured
  220.  
  221. ####################### CENTRALISED AUDIT EVENT LOGGING #######################
  222.  
  223. Centralised Audit Event Logging is unable to be checked with PowerShell. Ensure the organisation is using Centralised Event Logging, please confirm events from endpoint computers are being sent to a central location.
  224.  
  225. ####################### COMMAND PROMPT #######################
  226.  
  227. Prevent access to the command prompt is not configured
  228.  
  229. ####################### DIRECT MEMORY ACCESS #######################
  230.  
  231. Prevent installation of devices that match any of these device IDs is enabled
  232. Prevent installation of devices that match any of these device IDs (retroactively) is enabled
  233. PCI\CC_0C0A is included on the banned device list to prevent DMA installations
  234. Prevent installation of devices using drivers that match these device setup classes is enabled
  235. Prevent installation of devices using drivers that match these device setup classes (retroactively) is enabled
  236. {d48179be-ec20-11d1-b6b8-00c04fa372a7} is not included on the banned device list to prevent DMA installations.
  237.  
  238. ####################### ENDPOINT DEVICE CONTROL #######################
  239.  
  240. All Removable Storage classes: Deny all access is not configured in local machine group policy
  241. All Removable Storage classes: Deny all access is not configured in user group policy
  242. CD and DVD: Deny execute access is not configured in local machine group policy
  243. CD and DVD: Deny read access is not configured in local machine group policy
  244. CD and DVD: Deny write access is not configured in local machine group policy
  245. CD and DVD: Deny read access is not configured in user group policy
  246. CD and DVD: Deny write access is not configured in user group policy
  247. Custom Classes: Deny read access is not configured in local machine group policy
  248. Custom Classes: Deny write access is not configured in local machine group policy
  249. Custom Classes: Deny read access is not configured in user group policy
  250. Custom Classes: Deny write access is not configured in user group policy
  251. Floppy Drives: Deny execute access is not configured in local machine group policy
  252. Floppy Drives: Deny read access is not configured in local machine group policy
  253. Floppy Drives: Deny write access is not configured in local machine group policy
  254. Floppy Drives: Deny read access is not configured in user group policy
  255. Floppy Drives: Deny write access is not configured in user group policy
  256. Removable Disks: Deny execute access is not configured in local machine group policy
  257. Removable Disks: Deny read access is not configured in local machine group policy
  258. Removable Disks: Deny write access is not configured in local machine group policy
  259. Removable Disks: Deny read access is not configured in user group policy
  260. Removable Disks: Deny write access is not configured in user group policy
  261. Tape Drives: Deny execute access is not configured in local machine group policy
  262. Tape Drives: Deny read access is not configured in user group policy
  263. Tape Drives: Deny write access is not configured in user group policy
  264. Tape Drives: Deny read access is not configured in local machine group policy
  265. Tape Drives: Deny write access is not configured in local machine group policy
  266. WPD Devices: Deny read access is not configured in local machine group policy
  267. WPD Devices: Deny write access is not configured in local machine group policy
  268. WPD Devices: Deny read access is not configured in user group policy
  269. WPD Devices: Deny write access is not configured in user group policy
  270.  
  271. ####################### FILE AND PRINT SHARING #######################
  272.  
  273. Prevent the computer from joining a homegroup is enabled
  274. Prevent users from sharing files within their profile is not configured
  275.  
  276. ####################### GROUP POLICY PROCESSING #######################
  277.  
  278. Hardened UNC Paths are not configured, disabled or no paths are defined
  279. Configure registry policy processing is enabled
  280. Configure security policy processing is not configured
  281. Turn off background refresh of Group Policy is not configured
  282. Turn off Local Group Policy Objects processing is not configured
  283.  
  284. ####################### HARD DRIVE ENCRYPTION #######################
  285.  
  286. Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) is not configured or disabled
  287. Disable new DMA devices when this computer is locked is not configured
  288. Prevent memory overwrite on restart is not configured
  289. Choose how BitLocker-protected fixed  drives can be recovered has been configured
  290. Configure use of passwords for fixed data drives has been configured
  291. Passwords required for fixed data drives is disabled
  292. Bitlocker Minimum passphrase length is set to  which is less than the minimum requirement of 10 characters
  293. Deny write access to fixed drives not protected by BitLocker is not configured
  294. Enforce drive encryption type on fixed data drive is not configured
  295. Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN is not configured
  296. Allow enhanced PINs for startup is enabled
  297. Allow network unlock at startup is not configured
  298. Allow Secure Boot for integrity validation is enabled
  299. Choose how BitLocker-protected operating system drives can be recovered has been configured
  300. Configure minimum PIN length for startup is not configured
  301. Configure use of passwords for operating system drives has been configured
  302. Passwords required for operating system drives is disabled
  303. Bitlocker Minimum passphrase length is set to  which is less than the minimum requirement of 10 characters
  304. Disallow standard users from changing the PIN or password is not configured
  305. Enforce drive encryption type on operating system drive is not configured
  306. Require additional authentication at startup is not configured
  307. Reset platform validation data after BitLocker recovery is not configured
  308. Choose how BitLocker-protected removable drives can be recovered has been configured
  309. Configure use of passwords for removable drives has been configured
  310. Passwords required for removable drives is disabled
  311. Bitlocker Minimum passphrase length is set to  which is less than the minimum requirement of 10 characters
  312. Control use of bitlocker on removable drives is not configured
  313. Deny write access to removable drives not protected by BitLocker is enabled
  314. Enforce drive encryption type on removable data drive  is not configured
  315.  
  316. ####################### INSTALLING APPLICATIONS #######################
  317.  
  318. Configure Windows Defender SmartScreen is disabled
  319. Allow user control over installs is disabled
  320. Always install with elevated privileges is disabled in local machine policy
  321. Always install with elevated privileges is not configured in user policy
  322.  
  323. ####################### INTERNET PRINTING #######################
  324.  
  325. Turn off downloading of print drivers over HTTP is not configured
  326. Turn off printing over HTTP is enabled
  327.  
  328. ####################### LEGACY AND RUN ONCE LISTS #######################
  329.  
  330. Do not process the legacy run list is not configured
  331. Do not process the run once list is not configured
  332. Run These Programs At User Logon is disabled, no run keys are set
  333.  
  334. ####################### MICROSOFT ACCOUNTS #######################
  335.  
  336. Block all consumer Microsoft account user authentication is enabled
  337. Prevent the usage of OneDrive for file storage is enabled
  338. This setting is unable to be checked with PowerShell as it is a registry key, please manually check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
  339.  
  340. ####################### MSS SETTINGS #######################
  341.  
  342. MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) is not configured
  343. MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) is not configured
  344. MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes is not configured
  345. MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers is not configured
  346.  
  347. ####################### NETBIOS OVER TCP/IP #######################
  348.  
  349. NetBIOS Over TCP/IP service is running, NetBIOS over TCP/IP is likely enabled
  350.  
  351. ####################### NETWORK AUTHENTICATION #######################
  352.  
  353. Network security: Configure encryption types allowed for Kerberos is not configured
  354. Network security: LAN Manager authentication level is not configured
  355. Network security: Minimum session security for NTLM SSP based (including secure RPC) clients is configured with a non-compliant setting, it must be set to Require NTLMv2 session security and Require 128-bit encryption
  356. Network security: Minimum session security for NTLM SSP based (including secure RPC) servers is configured with a non-compliant setting, it must be set to Require NTLMv2 session security and Require 128-bit encryption
  357.  
  358. ####################### NOLM HASH POLICY #######################
  359.  
  360. Network security: Do not store LAN Manager hash value on next password change is enabled
  361.  
  362. ####################### OPERATING SYSTEM FUNCTIONALITY #######################
  363.  
  364. There are 203 services present on this machine, however only 27 have been disabled. This indicates that no functionality reduction, or a minimal level of functionality reduction has been applied to this machine.
  365.  
  366. ####################### POWER MANAGEMENT #######################
  367.  
  368. Allow standby states (S1-S3) when sleeping (on battery) is disabled
  369. Allow standby states (S1-S3) when sleeping (plugged in) is disabled
  370. Require a password when a computer wakes (on battery) is enabled
  371. Require a password when a computer wakes (plugged in) is enabled
  372. Specify the system hibernate timeout (on battery) is not configured
  373. Specify the system hibernate timeout (plugged in) is not configured
  374. Specify the system sleep timeout (on battery) is not configured
  375. Specify the system sleep timeout (plugged in) is not configured
  376. Specify the unattended sleep timeout (on battery) is not configured
  377. Specify the unattended sleep timeout (plugged in) is not configured
  378. Turn off hybrid sleep (on battery) is not configured
  379. Turn off hybrid sleep (plugged in) is not configured
  380. Show hibernate in the power options menu is not configured
  381. Show sleep in the power options menu is not configured
  382.  
  383. ####################### POWERSHELL #######################
  384.  
  385. Turn on PowerShell Script Block Logging is disabled in Local Machine GP
  386. Turn on PowerShell Script Block Invocation Logging is not configured
  387. Turn on Script Execution is not configured
  388. Script Execution is not configured
  389.  
  390. ####################### REGISTRY EDITING TOOLS #######################
  391.  
  392. Prevent access to registry editing tools is not configured
  393.  
  394. ####################### REMOTE ASSISTANCE #######################
  395.  
  396. Configure Offer Remote Assistance is disabled
  397. Configure Solicited Remote Assistance is disabled
  398.  
  399. ####################### REMOTE DESKTOP SERVICES #######################
  400.  
  401. Allow users to connect remotely by using Remote Desktop Services is not configured
  402. No members are allowed to logon through remote desktop services, this setting is compliant
  403. Unable to check members of deny logon through remote desktop services at this time please manually check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Logon through Remote Desktop Services and ensure 'Administrators' 'Guests' and 'NT Authority\Local Account' are members
  404. Remote host allows delegation of non-exportable credentials is enabled
  405. Configure server authentication for client is not configured
  406. Do not allow passwords to be saved is enabled
  407. Deny logoff of an administrator logged in to the console session is not configured
  408. Do not allow Clipboard redirection is not configured
  409. Do not allow drive redirection is enabled
  410. Always prompt for password upon connection is enabled
  411. Do not allow local administrators to customize permissions is not configured
  412. Require secure RPC communication is enabled
  413. Require use of specific security layer for remote (RDP) connections is set to SSL
  414. Require user authentication for remote connections by using Network Level Authentication is enabled
  415. Set client connection encryption level is set to high
  416.  
  417. ####################### REMOTE PROCEDURE CALL #######################
  418.  
  419. Restrict Unauthenticated RPC clients is enabled
  420.  
  421. ####################### REPORTING SYSTEM INFORMATION #######################
  422.  
  423. Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider is disabled
  424. Turn off Inventory Collector is not configured
  425. Turn off Steps Recorder is not configured
  426. Allow Telemetry is enabled in Local Machine GP
  427. Configure Corporate Windows Error Reporting is not configured
  428. Connect using SSL is not configured
  429.  
  430. ####################### SAFE MODE #######################
  431.  
  432. Block Non-Administrators in Safe Mode not configured
  433.  
  434. ####################### SECURE CHANNEL COMMUNICATIONS #######################
  435.  
  436. Domain member: Digitally encrypt or sign secure channel data (always) is enabled
  437. Domain member: Digitally encrypt secure channel data (when possible) is enabled
  438. Domain member: Digitally sign secure channel data (when possible) is enabled
  439. Domain member: Require strong (Windows 2000 or later) session key is enabled
  440.  
  441. ####################### SECURITY POLICIES #######################
  442.  
  443. Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services is disabled
  444. Turn off Microsoft consumer experiences is enabled
  445. Turn off heap termination on corruption is disabled
  446. Turn off shell protocol protected mode is disabled
  447. Prevent downloading of enclosures is enabled in Local Machine GP
  448. Allow indexing of encrypted files is disabled
  449. Enables or disables Windows Game Recording and Broadcasting is not configured
  450. Domain member: Disable machine account password changes is disabled
  451. Domain member: Maximum machine account password age is set to a compliant setting
  452. Network security: Allow PKU2U authentication requests to this computer to use online identities is not configured
  453. Unable to check Network security: Force logoff when logon hours expire because it is not a registry setting. Please manually check Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options and ensure this is set to enabled.
  454. Network security: LDAP client signing requirements is enabled and set to Negotiate Signing
  455. System objects: Require case insensitivity for non-Windows subsystems is enabled
  456. System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) is enabled
  457.  
  458. ####################### SERVER MESSAGE BLOCK SESSIONS #######################
  459.  
  460. Configure SMB v1 client driver is not configured
  461. Configure SMB v1 server is not configured
  462. Microsoft Network Client: Digitally sign communications (always) is disabled
  463. Microsoft network client: Digitally sign communications (if server agrees) is enabled
  464. Microsoft network client: Send unencrypted password to third-party SMB servers is disabled
  465. Microsoft network server: Amount of idle time required before suspending session is less than or equal to 15 mins
  466. Microsoft network server: Digitally sign communications (always) is disabled
  467. Microsoft network server: Digitally sign communications (if client agrees) is disabled
  468.  
  469. ####################### SESSION LOCKING #######################
  470.  
  471. Prevent enabling lock screen camera is enabled
  472. Prevent enabling lock screen slide show is enabled
  473. Allow users to select when a password is required when resuming from connected standby is not configured
  474. Turn off app notifications on the lock screen is enabled
  475. Show lock in the user tile menu is not configured
  476. Allow Windows Ink Workspace is on but dissalow access above lock
  477. No inactivity timeout has been configured
  478. Enable screen saver is not configured
  479. Password protect the screen saver is not configured
  480. Screen saver timeout is not configured
  481. Turn off toast notifications on the lock screen is not configured
  482. Do not suggest third-party content in Windows spotlight is not configured
  483.  
  484. ####################### SOFTWARE-BASED FIREWALLS #######################
  485.  
  486. Unable to confirm if an effective, application based software firewall is in use on this endpoint. Please confirm that a software firewall is in use on this host, listing explicitly which applications can generate inbound and outbound network traffic.
  487.  
  488. ####################### SOUND RECORDER #######################
  489.  
  490. Do not allow Sound Recorder to run is not configured
  491.  
  492. ####################### STANDARD OPERATING ENVIRONMENT #######################
  493.  
  494. This script is unable to check if a Standard Operating Environment (SOE) was used to build this image. Please manually confirm if the computer was built using a SOE image process
  495.  
  496. ####################### SYSTEM BACKUP AND RESTORE #######################
  497.  
  498. Unable to check Backup Files and Directories setting at this time, please check manually Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Backup Files and Directories. Only Administrators should be members of this setting
  499. Unable to check Restore Files and Directories setting at this time, please check manually Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore Files and Directories. Only Administrators should be members of this setting
  500.  
  501. ####################### SYSTEM CRYPTOGRAPHY #######################
  502.  
  503. System cryptography: Force strong key protection for user keys stored on the computer is not configured
  504. Use FIPS compliant algorithms for encryption, hashing and signing is not configured
  505.  
  506. ####################### USER RIGHTS POLICIES #######################
  507.  
  508. Unable to check this chapter as it requires a GPO export to view the settings (they are not stored locally). Please check policies located at 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment'
  509.  
  510. ####################### VIRTUALISED WEB AND EMAIL ACCESS #######################
  511.  
  512. This machine was detected to be a physical machine, if this machine is used to browse the web and check e-mail, you are non compliant with this chapter of the guide
  513.  
  514. ####################### WINDOWS REMOTE MANAGEMENT #######################
  515.  
  516. Allow Basic authentication is not configured
  517. Allow unencrypted traffic is not configured
  518. Disallow Digest authentication is not configured
  519. Allow Basic authentication is not configured
  520. Allow unencrypted traffic is not configured
  521. Disallow WinRM from storing RunAs credentials is not configured
  522.  
  523. ####################### WINDOWS REMOTE SHELL ACCESS #######################
  524.  
  525. Allow Remote Shell Access is disabled
  526.  
  527. ####################### WINDOWS SEARCH AND CORTANA #######################
  528.  
  529. Allow Cortana is disabled
  530. Don't search the web or display web results in Search is not configured
  531.  
  532. ####################### WINDOWS TO GO #######################
  533.  
  534. Windows To Go Default Startup Options is not configured
  535.  
  536. ####################### DISPLAYING FILE EXTENSIONS #######################
  537.  
  538. Display file extensions is enabled
  539.  
  540. ####################### FILE AND FOLDER SECURITY PROPERTIES #######################
  541.  
  542. Remove Security tab is not configured
  543.  
  544. ####################### LOCATION AWARENESS #######################
  545.  
  546. Turn off location is enabled
  547. Turn off location scripting is not configured
  548. Turn off Windows Location Provider is enabled
  549.  
  550. ####################### MICROSOFT STORE #######################
  551.  
  552. Turn off access to the Store is not configured
  553. Turn off the Store application is not configured
  554.  
  555. ####################### PUBLISHING INFORMATION TO THE WEB #######################
  556.  
  557. Turn off Internet download for Web publishing and online ordering wizards is enabled
  558.  
  559. ####################### RESULTANT SET OF POLICY REPORTING #######################
  560.  
  561. Determine if interactive users can generate Resultant Set of Policy data is not configured
  562.  
  563. #######################  #######################
  564.  
  565.  
  566. Out of a total of 346 controls checked there were:
  567. 113 compliant settings
  568. 153 Not-Configured (therefore treated as Non-Compliant) settings
  569. 36 Non-Compliant settings
  570. 47 settings that were unable to be checked due to various limitations
  571. Press Enter to continue...:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top