NVISOsecurity/posh-dsc-windows-hardening NVISOsecurity/posh-dsc-windows-hardening

  • Stars
    star
    257
  • Rank 158,728 (Top 4 %)
  • Language
    PowerShell
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
NVISOsecurity/posh-dsc-windows-hardening
github

NVISOsecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Windows OS Hardening with PowerShell DSC

posh-dsc-windowsserver-hardening

This repository contains PowerShell DSC code for the secure configuration of Windows according to the following hardening guidelines:

  • CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark v1.8.1
  • CIS Microsoft Windows Server 2019 Release 1809 benchmark v1.1.0
  • CIS Microsoft Windows Server 2016 Release 1607 benchmark v1.1.0
  • Azure Secure Center Baseline for Windows Server 2016
  • Windows Event Log and Audit Policy Best Practices

Read more about it on our NVISO Blog

CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark v1.8.1

The file CIS_Windows10_v181.ps1 contains the Powershell DSC configuration applying the CIS Microsoft Windows 10 benchmark with the recommended controls.

The CIS benchmark is available on the following website:

CIS Benchmarks - Center for Internet Security

Please note the following exceptions:

  • For control 5.39 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled', modify to 2 for testing.

  • For control 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled', modify to 1 for testing.

CIS Microsoft Windows Server 2019 Release 1809 benchmark v1.1.0

The file CIS_WindowsServer2019_v110.ps1 contains the Powershell DSC configuration applying the CIS Microsoft Windows Server 2019 benchmark with the recommended controls.

The CIS benchmark is available on the following website:

CIS Benchmarks - Center for Internet Security

Please note the following exceptions:

  • Some controls in chapter 2.2 (Local Policies: User Rights Assignment) are in comment due to duplicates.

  • For control 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled', modify to 1 for testing.

  • For control 19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled', it is in comment because this is a duplicate of the control 18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'.

CIS Microsoft Windows Server 2016 Release 1607 benchmark v1.1.0

The file CIS_WindowsServer2016_v110.ps1 contains the Powershell DSC configuration applying the CIS Microsoft Windows Server 2016 benchmark with the recommended controls.

The CIS benchmark is available on the following website:

CIS Benchmarks - Center for Internet Security

Please note the following exceptions:

  • Some controls in chapter 2.2 (Local Policies: User Rights Assignment) are in comment due to duplicates.

  • For control 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled', modify to 1 for testing.

  • For control 19.7.40.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled', it is in comment because this is a duplicate of the recommendation control 18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'.

Azure Security Center Baseline for Windows Server 2016

The file AzSC_CCEv4_WindowsServer2016.ps1 contains all controls in the Azure Security Center Baseline for Windows Server 2016.

Azure Security Center Baseline for Windows Server 2016 can be found here:

TechNet Azure Security Center Common Configuration

Windows Event Log and Audit Policy Best Practices

The file AuditPolicy_WindowsServer2016.ps1 contains the Powershell DSC code for applying Windows event logging and audit settings best practices.

These best practices are based on guidelines from Malware Archeology:

Malware Archeology

Usage

To apply the CIS benchmark PowerShell DSC code, follow these steps in an elevated PowerShell prompt:

Install the required PowerShell DSC modules:

install-module AuditPolicyDSC
install-module ComputerManagementDsc
install-module SecurityPolicyDsc

Compile the CIS benchmark PowerShell DSC code:

./CIS_WindowsServer2016_v110.ps1

A MOF file will be created.

Increase the maximum envelope size, by running the following command

Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 2048

Enable Windows Remote management:

winrm quickconfig

Run the following command to apply the PowerShell DSC configuration:

Start-DscConfiguration -Path .\CIS_WindowsServer2016_v110  -Force -Verbose -Wait

OS Platforms

The relevant baselines have been tested on the following operating systems:

  • Windows 10 Release 1909
  • Windows Server 2016 Release 1607
  • Windows Server 2019 Release 1809

Disclaimer

This code is provided as is. Please test thoroughly before applying it to production systems.

License

GPL-3.0

More Repositories

1

MagiskTrustUserCerts

A Magisk/KernelSU module that automatically adds user certificates to the system root CA store
Shell
1,519
star
2

disable-flutter-tls-verification

A Frida script that disables Flutter's TLS verification
C++
241
star
3

CobaltWhispers

CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWhispers2) to bypass EDR/AV
C
218
star
4

ee-outliers

Open-source framework to detect outliers in Elasticsearch events
Python
205
star
5

binsnitch

Detect silent (unwanted) changes to files on your system
Python
153
star
6

pyCobaltHound

pyCobaltHound is an Aggressor script extension for Cobalt Strike which aims to provide a deep integration between Cobalt Strike and Bloodhound.
Python
136
star
7

frida-ios-playground

An iOS app that lets you practice your Frida skills
Swift
126
star
8

evtx-hunter

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
Python
125
star
9

Interceptor

Interceptor is a kernel driver focused on tampering with EDR/AV solutions in kernel space
C++
115
star
10

brown-bags

C#
108
star
11

IOXY

MQTT intercepting proxy
Go
97
star
12

decompile-py2exe

Decompile py2exe Python 3 generated EXEs
Python
92
star
13

DInvisibleRegistry

DInvisibleRegistry
C#
81
star
14

blogposts

A repo to house files for our blogposts on blog.nviso.eu
C++
60
star
15

cs2br-bof

C
59
star
16

codasm

Payload encoding utility to effectively lower payload entropy.
Python
53
star
17

cyber-security-llm-agents

A collection of agents that use Large Language Models (LLMs) to perform tasks common on our day to day jobs in cyber security.
Jupyter Notebook
52
star
18

nviso-cti

YARA
40
star
19

nexus_5_bootloader_unpacker

A bootloader imgdata unpacker for Nexus 4, 5 and 7 smartphones as well as imgdata tool for Nexus 5.
C
25
star
20

FileSearcher

C#
22
star
21

logalert.py

Smart piping of command output to email for alerting.
Python
21
star
22

DLLoader

C++
16
star
23

SEC599-Resources

16
star
24

SEC599

SEC599 supporting GitHub repository
Shell
15
star
25

VerifiedBootRPi3

Verified Boot for RPi3
14
star
26

cobalt-strike-notifier

Python
13
star
27

YARA

Repository of YARA rules developed by NVISO
11
star
28

ansible-velociraptor

Ansible role for Velociraptor EDR
9
star
29

cloud-security-automation

PowerShell scripts used in the "Incident response in the cloud/ foggy with a ray of sunshine" conference talk
PowerShell
8
star
30

ansible-sysmon

Ansible role for sysmon
7
star
31

ansible-auditbeat

Ansible role for auditbeat install
7
star
32

ansible-thehive

Ansible role for installing The Hive & Cortex
6
star
33

BitSight-Automation-Tool

BitSight Automation was developed to automate certain manual procedures and extract information such as ratings, assets, findings, etc. This tool also provides the possibility to collaborate with Scheduled Tasks and cronjobs.
Python
6
star
34

ansible-windowslogconfig

Ansible role for configuring Windows security logs
5
star
35

ansible-caldera

Ansible role for MITRE caldera
5
star
36

assemblyline-service-cape

Assemblyline service build for CAPE's API
Python
4
star
37

ansible-elk

Ansible role for ELK stack install
4
star
38

ansible-winlogbeat

Ansible role for WinLogBeat
4
star
39

assemblyline-service-python-exe-unpacker

Python exe unpacker service
Python
3
star
40

ansible-covenant

Ansible role for Covenant
3
star
41

assemblyline-service-urlscanio

URLScan.io AL service
Python
3
star
42

assemblyline-service-clamav

Assemblyline service which submits a file to ClamAV and displays the result
Python
2
star
43

assemblyline-service-msg-extractor

Simple MSG extractor AssemblyLine service
Python
2
star
44

ansible-nexusrepo

Ansible role for Nexus Repository OSS
2
star
45

assemblyline-service-steg-finder

AssemblyLine service which scans for embedded data in image using StegExpose
Python
2
star
46

assemblyline-service-malware-bazaar

Assemblyline service fetching Malware Bazaar report
Python
2
star
47

caldex

Caldera exportation plugin to the MITRE ATT&CKβ„’ Navigator.
Python
2
star
48

assemblyline-service-autoit-ripper

AutoIt unpacker service
Python
1
star
49

assemblyline-service-unfurl

Assemblyline service parsing a submitted URL to unshorten it.
Python
1
star
50

cortex.xsoar

The cortex.xsoar collection includes Ansible modules to help automate the management of Palo Alto Cortex XSOAR.
Python
1
star