Public/SecurityOption.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
<#
.SYNOPSIS
    Test a Security Option.
.DESCRIPTION
    Test the setting of a particular security option.
.PARAMETER Target
    Specifies the category of the security option.
.PARAMETER Should
    A Script Block defining a Pester Assertion.
.EXAMPLE
    SecurityOption 'Accounts: Administrator account status' { Should -Be Disabled }
.EXAMPLE
    SecurityOption 'Domain member: Maximum machine account password age' { Should -Be 30 }
.EXAMPLE
    SecurityOption 'Accounts: Block Microsoft accounts' { Should -Be $null }
.NOTES
    Assertions: Be, BeExactly, Match, MatchExactly
#>

 
function SecurityOption {
    [CmdletBinding(DefaultParameterSetName = "Default")]
    param(
        [Parameter(Mandatory, Position = 1)]
        [Alias("Category")]
        [ValidateSet(
            "Accounts: Administrator account status",
            "Accounts: Block Microsoft accounts",
            "Accounts: Guest account status",
            "Accounts: Limit local account use of blank passwords to console logon only",
            "Accounts: Rename administrator account",
            "Accounts: Rename guest account",
            "Audit: Audit the access of global system objects",
            "Audit: Audit the use of Backup and Restore privilege",
            "Audit: Force audit policy subcategory settings Windows Vista or later to override audit policy category settings",
            "Audit: Shut down system immediately if unable to log security audits",
            "DCOM: Machine Access Restrictions in Security Descriptor Definition Language SDDL syntax",
            "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language SDDL syntax",
            "Devices: Allow undock without having to log on",
            "Devices: Allowed to format and eject removable media",
            "Devices: Prevent users from installing printer drivers",
            "Devices: Restrict CD ROM access to locally logged on user only",
            "Devices: Restrict floppy access to locally logged on user only",
            "Domain controller: Allow server operators to schedule tasks",
            "Domain controller: LDAP server signing requirements",
            "Domain controller: Refuse machine account password changes",
            "Domain member: Digitally encrypt or sign secure channel data always",
            "Domain member: Digitally encrypt secure channel data when possible",
            "Domain member: Digitally sign secure channel data when possible",
            "Domain member: Disable machine account password changes",
            "Domain member: Maximum machine account password age",
            "Domain member: Require strong Windows 2000 or later session key",
            "Interactive logon: Display user information when the session is locked",
            "Interactive logon: Do not display last user name",
            "Interactive logon: Do not require CTRL ALT DEL",
            "Interactive logon: Machine account lockout threshold",
            "Interactive logon: Machine inactivity limit",
            "Interactive logon: Message text for users attempting to log on",
            "Interactive logon: Message title for users attempting to log on",
            "Interactive logon: Number of previous logons to cache in case domain controller is not available",
            "Interactive logon: Prompt user to change password before expiration",
            "Interactive logon: Require Domain Controller authentication to unlock workstation",
            "Interactive logon: Require smart card",
            "Interactive logon: Smart card removal behavior",
            "Microsoft network client: Digitally sign communications always",
            "Microsoft network client: Digitally sign communications if server agrees",
            "Microsoft network client: Send unencrypted password to third party SMB servers",
            "Microsoft network server: Amount of idle time required before suspending session",
            "Microsoft network server: Attempt S4U2Self to obtain claim information",
            "Microsoft network server: Digitally sign communications always",
            "Microsoft network server: Digitally sign communications if client agrees",
            "Microsoft network server: Disconnect clients when logon hours expire",
            "Microsoft network server: Server SPN target name validation level",
            "Network access: Allow anonymous SID Name translation",
            "Network access: Do not allow anonymous enumeration of SAM accounts",
            "Network access: Do not allow anonymous enumeration of SAM accounts and shares",
            "Network access: Do not allow storage of passwords and credentials for network authentication",
            "Network access: Let Everyone permissions apply to anonymous users",
            "Network access: Named Pipes that can be accessed anonymously",
            "Network access: Remotely accessible registry paths",
            "Network access: Remotely accessible registry paths and subpaths",
            "Network access: Restrict anonymous access to Named Pipes and Shares",
            "Network access: Restrict clients allowed to make remote calls to SAM",
            "Network access: Shares that can be accessed anonymously",
            "Network access: Sharing and security model for local accounts",
            "Network security: Allow Local System to use computer identity for NTLM",
            "Network security: Allow LocalSystem NULL session fallback",
            "Network Security: Allow PKU2U authentication requests to this computer to use online identities",
            "Network security: Configure encryption types allowed for Kerberos",
            "Network security: Do not store LAN Manager hash value on next password change",
            "Network security: Force logoff when logon hours expire",
            "Network security: LAN Manager authentication level",
            "Network security: LDAP client signing requirements",
            "Network security: Minimum session security for NTLM SSP based including secure RPC clients",
            "Network security: Minimum session security for NTLM SSP based including secure RPC servers",
            "Network security: Restrict NTLM Add remote server exceptions for NTLM authentication",
            "Network security: Restrict NTLM Add server exceptions in this domain",
            "Network Security: Restrict NTLM Incoming NTLM Traffic",
            "Network Security: Restrict NTLM NTLM authentication in this domain",
            "Network Security: Restrict NTLM Outgoing NTLM traffic to remote servers",
            "Network Security: Restrict NTLM Audit Incoming NTLM Traffic",
            "Network Security: Restrict NTLM Audit NTLM authentication in this domain",
            "Recovery console: Allow automatic administrative logon",
            "Recovery console: Allow floppy copy and access to all drives and folders",
            "Shutdown: Allow system to be shut down without having to log on",
            "Shutdown: Clear virtual memory pagefile",
            "System cryptography: Force strong key protection for user keys stored on the computer",
            "System cryptography: Use FIPS compliant algorithms for encryption hashing and signing",
            "System objects: Require case insensitivity for non Windows subsystems",
            "System objects: Strengthen default permissions of internal system objects eg Symbolic Links",
            "System settings: Optional subsystems",
            "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
            "User Account Control: Admin Approval Mode for the Built in Administrator account",
            "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop",
            "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",
            "User Account Control: Behavior of the elevation prompt for standard users",
            "User Account Control: Detect application installations and prompt for elevation",
            "User Account Control: Only elevate executables that are signed and validated",
            "User Account Control: Only elevate UIAccess applications that are installed in secure locations",
            "User Account Control: Run all administrators in Admin Approval Mode",
            "User Account Control: Switch to the secure desktop when prompting for elevation",
            "User Account Control: Virtualize file and registry write failures to per user locations"
        )]
        [string]
        $Target,
        
        [Parameter(Mandatory, Position = 2)]
        [scriptblock]
        $Should
    )
    function GetSecurityPolicy([string]$Category) {

        function Get-PolicyOptionData {
            [OutputType([hashtable])]
            [CmdletBinding()]
            Param
            (
                [Parameter(Mandatory = $true)]
                [Microsoft.PowerShell.DesiredStateConfiguration.ArgumentToConfigurationDataTransformation()]
                [hashtable]
                $FilePath
            )
            return $FilePath
        }

        $securityOptionData = Get-PolicyOptionData -FilePath $("$PSScriptRoot\SecurityOptionData.psd1").Normalize()
        
        $SecurityOption = $securityOptionData[$Category]

        If ($SecurityOption) {

            $SecurityPolicyFilePath = Join-Path -Path $env:temp -ChildPath 'SecurityPolicy.inf'
            secedit.exe /export /cfg $SecurityPolicyFilePath /areas 'SECURITYPOLICY' | Out-Null
    
            $policyConfiguration = @{ }

            switch -regex -file $SecurityPolicyFilePath {
                "^\[(.+)\]" {
                    # Section
                    $section = $matches[1]
                    $policyConfiguration[$section] = @{ }
                }
                "(.+?)\s*=(.*)" {
                    # Key
                    $name, $value = $matches[1..2] -replace "\*"
                    $policyConfiguration[$section][$name] = $value.Trim()
                }
            }

            $soSection = $SecurityOption.Section
            $soOptions = $SecurityOption.Option
            $soValue = $SecurityOption.Value                

            $soResultValue = $policyConfiguration.$soSection.$soValue

            If ($soResultValue) {

                If ($soOptions.GetEnumerator().Name -ne 'String') {
                    $soResult = ($soOptions.GetEnumerator() | Where-Object { $_.Value -eq $soResultValue }).Name
                } 
                Else {
                    $soOptionsValue = ($soOptions.GetEnumerator() | Where-Object { $_.Name -eq 'String' }).Value
                    $soResult = $soResultValue -Replace "^$soOptionsValue", ''
                }
            }
            Else {
                $soResult = $null
            }

            Return $soResult
        }
        Else {
            Throw "The security option $Category was not found."
        }
    }

    # Modify the target string to match what is in the SecurityOptionData.psd1 file
    $Category = $Target.Replace(':','').Replace(' ','_')

    $Expression = { GetSecurityPolicy -Category '$Category' }
    $Params = Get-PoshspecParam -TestName SecurityOption -TestExpression $Expression @PSBoundParameters

    Invoke-PoshspecExpression @Params
}