├── lockout_timer.ps1
├── get_audit_policy.ps1
├── configure_password_policy.ps1
├── enable_secure_policy.ps1
├── enable_ps_logging.ps1
├── configure_audit_policy.ps1
└── README.md


/lockout_timer.ps1:
--------------------------------------------------------------------------------
 1 | #
 2 | # For enabling a lockout time-out on Windows devices by configuring a monitor timeout in the current power policy.
 3 | # On Windows 10, this will automatically cause the session to lock, but this may need to be configured pre-Windows 7.
 4 | #
 5 | # Change the time <10> to reflect how many minutes before the monitor is locked.
 6 | # Uncomment the second line when used on laptops or devices with batteries installed.
 7 | #
 8 | # Author: Jeff Starke
 9 | #
10 | # Usage: Copy and paste into Administrative PowerShell.
11 | 
12 | $time=10
13 | powercfg /change monitor-timeout-ac $time
14 | powercfg /change monitor-timeout-dc $time
15 | 


--------------------------------------------------------------------------------
/get_audit_policy.ps1:
--------------------------------------------------------------------------------
 1 | #
 2 | # This script will automatically configure a Windows system's advanced audit policy based on Microsoft's documented best-practices.
 3 | # Author: Jeff Starke
 4 | #
 5 | auditpol /get /category:"System"
 6 | auditpol /get /category:"Logon/Logoff"
 7 | auditpol /get /category:"Object Access"
 8 | auditpol /get /category:"Privilege Use"
 9 | auditpol /get /category:"Detailed Tracking"
10 | auditpol /get /category:"Policy Change"
11 | auditpol /get /category:"Account Management"
12 | auditpol /get /category:"DS Access"
13 | auditpol /get /category:"Account Logon"
14 | echo ""
15 | echo "Please copy and past the above output to the original ticket."
16 | 


--------------------------------------------------------------------------------
/configure_password_policy.ps1:
--------------------------------------------------------------------------------
 1 | #
 2 | # This script will automatically configure the Windows system's password policy based on Microsoft's documented best-practices.
 3 | # Unfortunately, there's no easy way to enforce complexity, so it will open the security policy panel and prompt to set this.
 4 | #
 5 | # Author: Jeff Starke
 6 | #
 7 | 
 8 | net accounts /forcelogoff:900   # Force log off {minutes:no}
 9 | net accounts /minpwage:0    # Minimum password age {days:0}
10 | net accounts /maxpwage:30   # Max password age {days:unlimited}
11 | net accounts /minpwlen:14    # Minimum password length {0-14, default 6}
12 | net accounts /uniquepw:24   # Length of password history maintained {0-24}
13 | net accounts /lockoutthreshold:10   # Lockout threshold
14 | net accounts /lockoutwindow:15   # Lockout duration
15 | secpol.msc
16 | Add-Type -AssemblyName PresentationFramework
17 | [System.Windows.MessageBox]::Show('Please navigate to Account Policies > Password Policy and enable "Password must meet complexity requirements".')
18 | 


--------------------------------------------------------------------------------
/enable_secure_policy.ps1:
--------------------------------------------------------------------------------
 1 | # Download from url and write to local file in $env:temp, which translates as the user's C:\Users\XXX\AppData\Local\Temp.
 2 | # When executed, will download and run the audit and password policy scripts.
 3 | # Automatically keeps up to date with latest versioning. Commenting out powershell.exe will allow you to edit scripts prior to execution.
 4 | #
 5 | # Author: Jeff Starke
 6 | 
 7 | $url1 = "https://raw.githubusercontent.com/Starke427/Windows-Security-Policy/master/configure_audit_policy.ps1"
 8 | $file1 = "$env:temp\configure_audit_policy.ps1"
 9 | 
10 | $url2 = "https://raw.githubusercontent.com/Starke427/Windows-Security-Policy/master/configure_password_policy.ps1"
11 | $file2 = "$env:temp\configure_password_policy.ps1"
12 | 
13 | (New-Object -TypeName System.Net.WebClient).DownloadFile($url1, $file1)
14 | (New-Object -TypeName System.Net.WebClient).DownloadFile($url2, $file2)
15 | 
16 | 
17 | powershell.exe -ExecutionPolicy ByPass -File $file1
18 | powershell.exe -ExecutionPolicy ByPass -File $file2
19 | 


--------------------------------------------------------------------------------
/enable_ps_logging.ps1:
--------------------------------------------------------------------------------
 1 | #
 2 | # Enable PowerShell Module and ScriptBlock Logging on Non-Enterprise Windows 10 Devices
 3 | # Author: Jeff Starke
 4 | #
 5 | 
 6 | # Create Registry Path and Enable Module Logging
 7 | New-Item –Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows" –Name PowerShell
 8 | New-Item –Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell" –Name ModuleLogging
 9 | Set-Itemproperty -path 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -Name 'EnableModuleLogging' -Value '1'
10 | New-Item –Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" –Name ModuleNames
11 | Set-Itemproperty -path 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames' -Name '*' -Value '*'
12 | Get-Item -path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging
13 | Get-Item -path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging/ModuleNames
14 | 
15 | #  Create Registry Path and Enable ScriptBlock Logging
16 | New-Item –Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell" –Name ScriptBlockLogging
17 | Set-Itemproperty -path 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value '1'
18 | Get-Item -path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
19 | 


--------------------------------------------------------------------------------
/configure_audit_policy.ps1:
--------------------------------------------------------------------------------
 1 | #
 2 | # This script will automatically configure a Windows system's advanced audit policy based on Microsoft's documented best-practices.
 3 | # Author: Jeff Starke
 4 | #
 5 | 
 6 | # System
 7 | auditpol /set /subcategory:"Security System Extension" /success:enable /failure:disable > $null
 8 | auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable > $null
 9 | auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable > $null
10 | auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable > $null
11 | auditpol /set /subcategory:"Security State Change" /success:enable /failure:disable > $null
12 | 
13 | # Logon/Logoff
14 | auditpol /set /subcategory:"Logon" /success:enable /failure:enable > $null
15 | auditpol /set /subcategory:"Logoff" /success:disable /failure:disable > $null
16 | auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable > $null
17 | auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable > $null
18 | auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable > $null
19 | auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable > $null
20 | auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable > $null
21 | auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:disable > $null
22 | auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:disable > $null
23 | auditpol /set /subcategory:"Group Membership" /success:enable /failure:disable > $null
24 | 
25 | # Object Access
26 | auditpol /set /subcategory:"File System" /success:disable /failure:enable > $null
27 | auditpol /set /subcategory:"Registry" /success:disable /failure:disable > $null
28 | auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable > $null
29 | auditpol /set /subcategory:"SAM" /success:disable /failure:disable > $null
30 | auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable > $null
31 | auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable > $null
32 | auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable > $null
33 | auditpol /set /subcategory:"File Share" /success:enable /failure:enable > $null
34 | auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable > $null
35 | auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable > $null
36 | auditpol /set /subcategory:"Detailed File Share" /success:disable /failure:enable > $null
37 | auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable > $null
38 | auditpol /set /subcategory:"Central Policy Staging" /success:disable /failure:disable > $null
39 | 
40 | # Privilege Use
41 | auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable > $null
42 | auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable > $null
43 | auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:disable > $null
44 | 
45 | # Detailed Tracking
46 | auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable > $null
47 | auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable > $null
48 | auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable > $null
49 | auditpol /set /subcategory:"RPC Events" /success:enable /failure:disable > $null
50 | auditpol /set /subcategory:"Plug and Play Events" /success:enable /failure:disable > $null
51 | auditpol /set /subcategory:"Token Right Adjusted Events" /success:disable /failure:disable > $null
52 | 
53 | # Policy Change
54 | auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:disable > $null
55 | auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable > $null
56 | auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:disable > $null
57 | auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable > $null
58 | auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable > $null
59 | auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable > $null
60 | 
61 | # Account Management
62 | auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:disable > $null
63 | auditpol /set /subcategory:"Security Group Management" /success:enable /failure:disable > $null
64 | auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:disable > $null
65 | auditpol /set /subcategory:"Application Group Management" /success:enable /failure:disable > $null
66 | auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:disable > $null
67 | auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable > $null
68 | 
69 | # DS Access
70 | auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:enable > $null
71 | auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:disable > $null
72 | auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable > $null
73 | auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable > $null
74 | 
75 | # Account Logon
76 | auditpol /set /category:"Account Logon" /success:enable /failure:enable > $null
77 | 
78 | echo ""
79 | echo "The local audit policy has been updated. Please review the new configuration below."
80 | Start-Sleep 3
81 | echo ""
82 | 
83 | auditpol /get /category:*
84 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Windows-Security-Policy
  2 | Specific guidance and configuration scripts based on Microsoft-recommended security configuration baselines for Windows. Intended for all Windows environments, especially stand-alone (non-domain managed) systems that are typically overlooked.
  3 | 
  4 | ---
  5 | This is intended to provide high-level guidance on configuring the Window’s Advanced Audit Policy Configuration based on recommendations from Microsoft to meet CIS standards. Full details on each category can be found at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.  
  6 | 
  7 | Due to the limitations of system access control lists (SACLs) it is recommended that you implement some form of agent-based monitoring of file systems and registries instead of relying on Global Object Access Auditing. This will also, generally, provide you with some form of more centralized audit logging which will help simplify the validation of logging during audit assessments. A great, free alternative would be to take advantage of Sysmon, which you can automate the deployment of [here](https://github.com/Starke427/Sysmon-Configs).
  8 | 
  9 | To aide in your assessment, you can take advantage of Microsoft's Security Compliance Toolkit (SCT). SCT is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows. Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy. The toolkit is available here:  https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10  
 10 | 
 11 | ---
 12 | # Enable Advanced Auditing and Password Policy
 13 | 
 14 | This will automatically configure your local audit and password policies per MSFT security baselines. Please see the sections below if you would prefer to only configure one or the other. This will be implemented immediately on the local system.
 15 | 
 16 | The script finishes by opening the local security policy and prompting you to enable password complexity, as there is currently no way to script-out enabling this feature. Under Security Settings > Account Policies > Password Policy, click on and enable 'Password must meet complexity requirements.'
 17 | 
 18 | ```
 19 | $url1 = "https://raw.githubusercontent.com/Starke427/Windows-Security-Policy/master/enable_secure_policy.ps1"
 20 | $file1 = "$env:temp\enable_secure_policy.ps1"
 21 | (New-Object -TypeName System.Net.WebClient).DownloadFile($url1, $file1)
 22 | Set-ExecutionPolicy -ExecutionPolicy Bypass -force
 23 | & "$env:temp\enable_secure_policy.ps1"
 24 | ```
 25 | 
 26 | # Configure Password Policy
 27 | 
 28 | To simplify password policy configuration for stand-alone systems, this script will automatically configure the following:  
 29 | 
 30 | Force Log Off:  900 Minutes  
 31 | Minimum Password Age:   0 days  
 32 | Maximum Password Age:   30 days  
 33 | Minimum Password Length:  14 characters  
 34 | Number of Passwords Remembered: 24  
 35 | Account Lockout Threshold:   10  
 36 | Account Lockout Duration:   15 minutes  
 37 | 
 38 | The script finishes by opening the local security policy and prompting you to enable password complexity, as there is currently no way to script-out enabling this feature. Under Security Settings > Account Policies > Password Policy, click on and enable 'Password must meet complexity requirements.'
 39 | 
 40 | ```
 41 | $url1 = "https://raw.githubusercontent.com/Starke427/Windows-Security-Policy/master/configure_password_policy.ps1"
 42 | $file1 = "$env:temp\configure_password_policy.ps1"
 43 | (New-Object -TypeName System.Net.WebClient).DownloadFile($url1, $file1)
 44 | Set-ExecutionPolicy -ExecutionPolicy Bypass -force
 45 | & "$env:temp\configure_password_policy.ps1"
 46 | ```
 47 | 
 48 | # Configure Advanced Auditing
 49 | 
 50 | To simplify audit policy configuration for stand-alone systems, the following will automatically configure all policies as outlined below. The following must be run from an Administrative PowerShell.
 51 | 
 52 | ```
 53 | $url1 = "https://raw.githubusercontent.com/Starke427/Windows-Security-Policy/master/configure_audit_policy.ps1"
 54 | $file1 = "$env:temp\configure_audit_policy.ps1"
 55 | (New-Object -TypeName System.Net.WebClient).DownloadFile($url1, $file1)
 56 | Set-ExecutionPolicy -ExecutionPolicy Bypass -force
 57 | & "$env:temp\configure_audit_policy.ps1"
 58 | ```
 59 | 
 60 | ---
 61 | 
 62 | 
 63 | ### Account Logon
 64 | Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used.
 65 | 
 66 | This category includes the following subcategories:
 67 | 
 68 | Audit Credential Validation – Success/Failure
 69 | 
 70 | Audit Kerberos Authentication Service – Success/Failure
 71 | 
 72 | Audit Kerberos Service Ticket Operations – Success/Failure
 73 | 
 74 | Audit Other Logon/Logoff Events – Success/Failure
 75 | 
 76 | ### Account Management
 77 | The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. 
 78 | 
 79 | This category includes the following subcategories:
 80 | 
 81 | Audit Application Group Management - Success
 82 | 
 83 | Audit Computer Account Management - Success
 84 | 
 85 | Audit Distribution Group Management - Success
 86 | 
 87 | Audit Other Account Management Events - Success
 88 | 
 89 | Audit Security Group Management - Success
 90 | 
 91 | Audit User Account Management – Success/Failure
 92 | 
 93 | ### Detailed Tracking
 94 | Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. 
 95 | 
 96 | This category includes the following subcategories:
 97 | 
 98 | Audit DPAPI Activity – Not Configured
 99 | 
100 | Audit PNP activity - Success
101 | 
102 | Audit Process Creation - Success
103 | 
104 | Audit Process Termination – Not Configured
105 | 
106 | Audit RPC Events - Success
107 | 
108 | Audit Credential Validation – Failure
109 | 
110 | Audit Token Right Adjusted – Not Configured
111 | 
112 | ### DS Access
113 | DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. 
114 | 
115 | This category includes the following subcategories:
116 | 
117 | Audit Detailed Directory Service Replication – Not Configured
118 | 
119 | Audit Directory Service Access - Failure
120 | 
121 | Audit Directory Service Changes - Success
122 | 
123 | Audit Directory Service Replication – Not Configured
124 | 
125 | ### Logon/Logoff
126 | Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. 
127 | 
128 | This category includes the following subcategories:
129 | 
130 | Audit Account Lockout - Failure
131 | 
132 | Audit User/Device Claims - Success
133 | 
134 | Audit Group Membership – Success
135 | 
136 | Audit IPsec Extended Mode – Not Configured
137 | 
138 | Audit IPsec Main Mode – Not Configured
139 | 
140 | Audit IPsec Quick Mode – Not Configured
141 | 
142 | Audit Logoff – Not Configured
143 | 
144 | Audit Logon – Success/Failure
145 | 
146 | Audit Network Policy Server - Success
147 | 
148 | Audit Other Logon/Logoff Events – Success/Failure
149 | 
150 | Audit Special Logon – Success
151 | 
152 | ### Object Access
153 | Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
154 | 
155 | Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing.
156 | 
157 | This category includes the following subcategories:
158 | 
159 | Audit Application Generated – Not Configured
160 | 
161 | Audit Certification Services – Success/Failure
162 | 
163 | Audit Detailed File Share - Failure
164 | 
165 | Audit File Share – Success/Failure
166 | 
167 | Audit File System - Failure
168 | 
169 | Audit Filtering Platform Connection - Failure
170 | 
171 | Audit Filtering Platform Packet Drop – Not Configured
172 | 
173 | Audit Handle Manipulation – Not Configured
174 | 
175 | Audit Kernel Object – Not Configured
176 | 
177 | Audit Other Object Access Events – Success/Failure
178 | 
179 | Audit Registry – Not Configured
180 | 
181 | Audit Removable Storage – Success/Failure
182 | 
183 | Audit SAM – Not Configured
184 | 
185 | Audit Central Access Policy Staging – Not Configured
186 | 
187 | ### Policy Change
188 | Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. 
189 | 
190 | This category includes the following subcategories:
191 | 
192 | Audit Audit Policy Change - Success
193 | 
194 | Audit Authentication Policy Change - Success
195 | 
196 | Audit Authorization Policy Change - Success
197 | 
198 | Audit Filtering Platform Policy Change – Not Configured
199 | 
200 | Audit MPSSVC Rule-Level Policy Change – Success/Failure
201 | 
202 | Audit Other Policy Change Events – Failure
203 | 
204 | ### Privilege Use
205 | Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. 
206 | 
207 | This category includes the following subcategories:
208 | 
209 | Audit Non-Sensitive Privilege Use – Not Configured
210 | 
211 | Audit Other Privilege Use Events – Not Configured
212 | 
213 | Audit Sensitive Privilege Use – Success  # Failure auditing is recommended per MSFT, but is very noisey and not included by default
214 | 
215 | ### System
216 | System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. 
217 | 
218 | This category includes the following subcategories:
219 | 
220 | Audit IPsec Driver – Not Configured
221 | 
222 | Audit Other System Events – Success/Failure
223 | 
224 | Audit Security State Change - Success
225 | 
226 | Audit Security System Extension – Not Configured
227 | 
228 | Audit System Integrity – Success/Failure
229 | 
230 | ### Global Object Access Auditing
231 | Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type. Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
232 | 
233 | Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
234 | 
235 | Note:  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
236 | 
237 | This category includes the following subcategories:
238 | 
239 | File System (Global Object Access Auditing) – Not Configured
240 | 
241 | Registry (Global Object Access Auditing) – Not Configured
242 | 
243 | 


--------------------------------------------------------------------------------