Git Product home page Git Product logo

hardeningkitty's People

Contributors

0x6d69636b avatar ataumo avatar thetechgy avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

hardeningkitty's Issues

Network Provider: Hardened UNC Paths (SYSVOL)

[] 16.05.2022 15:05:49 - Getting machine information
[
] Domain role: MemberServer
[] Windows: Windows Server 2022 Datacenter
[
] Windows edition: ServerDatacenter
[] Windows version: 2009
[
] Windows build: 20348.1.amd64fre.fe_release.210507-1500
[] System-locale: de-DE
[
] Powershell Version: 5.1

Commandline:
Invoke-HardeningKitty -EmojiSupport -FileFindingList .\lists\finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv

ID 10653, Network Provider: Hardened UNC Paths (NETLOGON), Result=RequireMutualAuthentication=1,RequireIntegrity=1, Severity=Passed

[๐Ÿ˜ฟ] ID 10654, Network Provider: Hardened UNC Paths (SYSVOL), Result=RequireMutualAuthentication=1,RequireIntegrity=1, Recommended=RequireMutualAuthentication=1, RequireIntegrity=1, Severity=Medium

The recommendation of the second case. contains a space character and might lead to the Severity=Medium instead of Severity=Passed. Both cases are configured exactly the same on my systems.

line 663 has a type in the variable name

    # A CSV finding list is imported. HardeningKitty has one machine and one user list.
    If ($FileFindingList.Length -eq 0) {

        $CurrentLication = Get-Location
        $FileFindingList = "**$CurrentLication**\lists\finding_list_0x6d69636b_machine.csv"
    }

    $FindingList = Import-Csv -Path $FileFindingList -Delimiter ","
    $LastCategory = ""

Windows defender blocked

I got this error:

_Get-MpComputerStatus : A general error occurred that is not covered by a more specific error code.
At C:\Program Files\WindowsPowerShell\Modules\HardeningKitty\0.9.2\HardeningKitty.psm1:1196 char:37

  •                 $ResultOutput = Get-MpComputerStatus
    
  •                                 ~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (MSFT_MpComputerStatus:ROOT\Microsoft...pComputerStatus) [Get-MpComputerS
      tatus], CimException
    • FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus

The Hardening Score is: 3.18
Unable to find the specified field.__

Seemed Windows Defender blocked or disabled. Is there any way to get around? Thank you

Add new finding

Hello all!

this is not really an issue - but I would like to know if it is possible to add a new finding and if yes how.

I want to check if the powershell executionpolicy on the endpoint is set to the microsoft default "restricted" or something different.

PS C:\Users\SecurityWho> Get-ExecutionPolicy                                                                        
Restricted

Registry type needed to be REG_SZ, not REG_DWORD

The Retention registry setting in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security", "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application". "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup", and "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" needs to be REG_SZ. The script creates these as REG_DWORD which do configure the setting correctly.

Not sure if there are other examples here, but I only noticed then when Windows alerted me to the fact that the security log was full, however I knew we enforced the retention setting to prevent this.

Updated CIS benchmark finding lists

CIS Benchmark v3.0.1 has been released.
The finding lists on Github are still based on V2.0.x.
Are there plans to update the lists to V3.0.x?

Backup Parameter Not Found

After importing the module, when executing Invoke-HardeningKitty -Mode Config -Backup as indicated in the Readme.md , PowerShell returns the following error regarding the Backup parameter:

Invoke-HardeningKitty : A parameter cannot be found that matches parameter name 'Backup'.
At line:1 char:36
+ Invoke-HardeningKitty -Mode Config -Backup
+                                    ~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Invoke-HardeningKitty], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Invoke-HardeningKitty

Adding new method

Hi,

Loving the HardeningKitty capabilities, but for "our" hardening process we need new methods :

  • Users creation (to replace default admin by a new account)
  • NTFS permissions
  • other ?

I want to contribute on that (and not ask you you dev it), but i want to known if it's something that can be considered in the "scope" of HardeningKitty ?

Best Regards,
Richard.

Registry to Local Group Policy?

This is a fantastic tool! I wanted to export the local policies to a csv after running HailMary but noticed that there are only "not configured" policies in the Local Group Policy Editor. At least all the "administrative template" policies. I find this weird, because when you enabled a policy the registry is changed. But apparently, when you modify/create a registry key, the corresponding policy is not enabled. Note that the machine I am using HardeningKitty Hailmary on is a non-domain joined machine. Is it possible to automate getting the policies enabled?

CIS baseline in combination with Intune

Our machines are deployed with Intune. Checking the baseline with hardeningkitty reports that the firewall is OFF.
This is done by checking the registry hive under ..\Policies.
But this is only set when its controlled by GPO. When done with Intune there is no ..\WindowsFirewall..

You can check it by NETSH or other functions.

But the first thing I would like to see is : When a registry key is not readable, don't assume its 0. Report it as not available.

10501,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium

Hope you are willing to help and improve.

Best regards,
Gert

CIS Windows 10 list bugs

Hello,
just a few remarks regarding the finding_list_cis_microsoft_windows_10_enterprise_machine.csv:

  • 18.8.3.1 - the recommended value should be '0' (disabled)
  • 18.8.4.1 and 18.8.4.2 are swapped, and default credential check is no longer part of this version of CIS benchmark. It should be 'Remote host allows delegation of non-exportable credentials'
  • '18.5.14.1.1' does not exist in CIS, it should be '18.5.14.1'

Requires Admin Privilege

Hello, while I run the script and I want to save it as CSV file, however I encounter this kind of error to some of our configured policy.

How to bypass ?
image

"Window Manager\Window Manager Group" SID not shown in Result

I did a scan of a server against the BSI ND Machine baseline and in the scan result (CSV) for ID 279 (Increase scheduling priority), it shows only BUILTIN\Administrators as a result, despite the Window Manager\Window Manager Group also being configured via its SID (S-1-5-90-0) which I got from here. I would expect that SID to show up in the "Result" column as well, which isn't the case. For other settings I use S-1-0-0 for Nobody and those settings get a pass too, so I'm not sure it is related to the fact I am using a SID here per se.

Caveats: I'm not entirely convinced doing it via the SID is correct and the Windows Server language is German.

CIS 22H2 list availability

Hi there,

Just working on a Windows 11 22H2 machine today. Any chance you have this CIS list for 22H2? Unless you think 21H2 would suffice....

finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv

Thanks

Category Windows Firewall clarification

Why are the settings in the registry path:
HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

also checked ? For a compliance check SOFTWARE\Policies\Microsoft\WindowsFirewall should be enough?

Wrong default value for AlwaysInstallElevated

According to the documentation:

"To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to "1" under both of the following registry keys:"

This implies that when these keys are missing, the setting is not the same as if the setting value was 1.

This list (and others) however assume the value to be 1 by default:

https://github.com/scipag/HardeningKitty/blame/7751c3c303ba77f30d9d59362914018800eeb0bb/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_user.csv#L14

This results in false positive findings.

finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv - ID 2.3.10.9, Network access: Remotely accessible registry paths and sub-paths

[] Windows: Microsoft Windows Server 2022 Standard Evaluation
[
] Windows edition: ServerStandardEval
[*] Windows version: 2009
Finding list - finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv

After changing settings to recommended; it still flagging as incorrect:

[$] ID 2.3.10.9, Network access: Remotely accessible registry paths and sub-paths, Result=System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog, Recommended=System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog, Severity=Medium

It's a bit hard to see with that blurb of text so I will paste again with easier formatting for visibility:

Result:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

Recommended:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

Any idea's what went wrong here?

Potentially outdated default value for RestrictDriverInstallationToAdministrators

Multiple rule lists define the Point and Print driver installation restriction with the default value of 0:

https://github.com/scipag/HardeningKitty/search?q=RestrictDriverInstallationToAdministrators

Meanwhile, according to the documentation:

"Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers."

I don't know if HardeningKitty can take into account the current update level of the target system. If it can't, maybe the updated default could be reflected in lists used for builds released after the above date?

Check how to execute the function Create a Group Policy (experimental) added from v0.91

The function Create a Group Policy (experimental) has been added since v0.91. Could you please confirm how to execute it?

Invoke-HardeningKitty -Mode GPO -FileFindingList .\lists\finding_list_0x6d69636b_machine.csv -GPOName HardeningKitty-Machine-01

If you specify an appropriate name in the -GPOName part of the above command, the following error will occur.
Get-GPRegistryValue: I get a message that there is no GPO named xxx in my domain.

Also, if you specify an existing GPO, a message will appear stating that you do not have access rights.

Is it actually a command that creates a domain policy?
How should I specify how to apply it to local policy?

Error CIS 2022_21h2 parameter 2.3.10.11

Good morning,

I wanted to report an error to you on a parameter that does not apply to my machine.
I wanted to apply the parameter "2.3.10.11" from the file "lists\finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv"
I noticed that the value was partially applied. Indeed, the value in the register was: "O:BAG:BAD:(A" except it is expected "O:BAG:BAD:(A;;RC;;;BA)". I think it is related to the language of the operating system, because I use an OS French, for us the default separator is ";"

Restoring from backup adds kitty firewall rules

This has been repoerted before but the issue tickets are a bit mixed with other issue so I've created this new one.

Basicially when restoring from a backup, additional rules blocking RDP and others are being added to the firewall which were not there before locking someone out of their server.

Example.

  • On a fresh machine, create a backup
  • apply the latest ms baseline for windows 2022
  • revert from backup

Hardening kitty named Firewall rules appear blocking all further access (RDP and more). From this point the only way to regain access was IPMI remote.

I've made this mistake twice now, I don't learn.

EDIT: This is the exact baeline that was used.

https://raw.githubusercontent.com/scipag/HardeningKitty/master/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv

The finding list was not found

Hi!
just installed HK and cannot run it due to the following error in the output. Can you help please?

PS C:\Users\XXXXXXX\Desktop> Invoke-HardeningKitty -EmojiSupport

  =^._.^=
 _(      )/  HardeningKitty 0.9.0-1670934249

[*] 2023-04-07 20:20:35 - Starting HardeningKitty

[] 2023-04-07 20:20:35 - Getting machine information
[
] Hostname: XXXX
[] Domain: XXXX
[
] Domain role: Member Server
[] Install date: 01/11/2016 07:16:02
[
] Last Boot Time: 04/06/2023 08:17:12
[] Uptime: 1.12:03:23.2387107
[
] Windows: Microsoft Windows Server 2012 R2 Standard
[] Windows version: 6.3.9600
[
] Windows build: 9600
[] System-locale: lt-LT
[
] Powershell Version: 4.0

[*] 2023-04-07 20:20:36 - Language warning
[?] 2023-04-07 20:20:36 - HardeningKitty was developed for the system language 'en-US'. This system uses 'lt-LT' Languag
e-dependent analyses can sometimes produce false results. Please create an issue if this occurs.

[] 2023-04-07 20:20:36 - Getting user information
[
] Username: XXXXXX\XXXXXX
[*] Is Admin: True
[!] 2023-04-07 20:20:36 - The finding list C:\Users\XXXXXXX\Desktop\lists\finding_list_0x6d69636b_machine.csv was not fo
und.

question

I have this setup on a multitude of computers but we are running issues with certain smb network drives connecting.

Windows server restore / Filter in HailMary mode

Hi,

First of all, I want to thank you for this repository.

I've encountered a couple of issues while using the code. The first issue is that the restore point functionality seems to be available only for computers. When I tried using it with a server, I had to create a manual restore point to utilize the HailMary mode, and I was forced to use the -SkipRestorePoint option.

The second issue is related to category filtering. When I filter by category and use the HailMary mode, the hardening is applied to all categories, not just the selected ones.

Thank you for your attention to these matters.

Best regards

Automatic creation of finding lists

HardeningKitty is a great tool and has been very helpful for creating gold images etc.

Do you have a scripted method for creating the finding lists from the STIG xml or pol files? It looks as though it might be possible, but not sure if all the required information is there.

Perhaps you could provide a short description of how you go about generating the finding lists from a STIG, this would be helpful for those looking to add new lists of keep theirs up to date.

thanks in advance.

Category Microsoft Edge ID 10952, 10953

When executing, on Windows 11 22H2:
Invoke-HardeningKitty -Mode Audit -FileFindingList .\lists\finding_list_msft_security_baseline_windows_11_22h2_machine.csv

the two Edge settings are not found:
`[*] 1/29/2023 6:22:34 PM - Starting Category Microsoft Edge

[$] ID 10952, Configure Windows Defender SmartScreen, Result=, Recommended=1, Severity=Medium

[$] ID 10953, Prevent bypassing Microsoft Defender SmartScreen prompts for sites, Result=, Recommended=1, Severity=Medium`

the list points to the reg key:
HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9

I could only find this setting here (the second Defender setting is also found here):
SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter

CSV wrong column

When executing Invoke-HardeningKitty -Mode Audit -Log -Report the generated csv as severity column contains "passed" along with medium and low. Typo?

unauthenticated guest access

I have been trying to figure out which rule has been giving me issues with network drives. wont let me add drives due to unauthenticated guest access.

XblGameSave Standby Task, 11060

I know the recommendation exist (and you should disable), but it never made it into the official Microsoft OS machine baselines, right ?
I remember they mentioned somewhere, they think about expanding the baselines and adding user based tasks and services..

11060 | Scheduled Task | XblGameSave Standby Task

Mishandling of "Never minutes" in Account Lockout Duration checks

According to my tests when Account Lockout Duration is set to 0, Windows reports the value as "Never", which is also reflected in HardeningKitty's output.

According to documentation:

A value of 0 specifies that the account will be locked out until an administrator explicitly unlocks it.

HardeningKitty specifies a numeric threshold for this value, while
a) the "Never" string can't be handled with such a rule
b) 0 as a special case can't be handled by a "bigger is better" kind of rule

I think the "0" setting is more secure than any expiring value, so it should be accepted, but I don't know how much flexibility the rule format of HardeningKitty provides to handle the above edge case.

question about scripts

hello.

I was wondering if there are any sections specifically that wouldn't allow for batch files to run. it is a net use batch file that we are trying to implement but so far I have not found any script related lines that would stop them from running. I am able to manually add them through file explorer. thnak you

Case 19.6.6.1.1 is missing severity

invoke-hardeningKitty .\lists\finding_list_cis_microsoft_windows_11_enterprise_21h2_user.csv -EmojiSupport -Mode Audit

Output:
[*] 8/6/2022 9:25:35 AM - Starting Category Administrative Templates: System
[๐Ÿ˜บ] ID 19.6.6.1.1, Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program, Result=1, Severity=Passed

Log:
"19.6.6.1.1","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program","Passed","1"

Lazy feature

A non existant folder isnt created :( perhaps this could be done automatically incase people automate this script. Ex Sys admin wasnt paying attention when running this across a network, uh oh the folder I gave Kitty was the wrong path and now I lost the default settings
image

Winning GPO information can help identify conflicts for key settings

Hello @0x6d69636b,

Thanks for the quick chat recently! As mentioned we've made use of RSOP* CIM classes to audit key settings.
I have looked at the list of URA we want to audit at scale and had come up with the following code sample for it. In this case, the effectiveness of AD Tiering GPOs, and control of other sensitive privileges in an environment.

#User Right Assignment of interest
$URA=@('SeDenyServiceLogonRight',
    'SeDenyBatchLogonRight',
    'SeDenyNetworkLogonRight',
    'SeDenyInteractiveLogonRight',
    'SeDenyRemoteInteractiveLogonRight',
    'SeDebugPrivilege',
    'SeEnableDelegationPrivilege',
    'SeImpersonatePrivilege',
    'SeBatchLogonRight',
    'SeServiceLogonRight',
    'SeInteractiveLogonRight',
    'SeNetworkLogonRight',
    'SeRemoteInteractiveLogonRight')

# Inspect RSOP classes
# Having a precedence of 1 indicates the winning GPO
$URA_RSOP = Get-WmiObject RSOP_UserPrivilegeRight -namespace "root\RSOP\Computer" | where UserRight -in $URA | where precedence -eq 1 | select UserRight,AccountList,GPOID

The GPOID is the Distinguished Name of the object in AD, in the policies container. I'll have a look at the overall structure of HK, perhaps the name or GUIDs of GPOs expected to manage these settings can be stored in a config as well? Do you see this check fit in the current execution flow of HK?

A full list of RSOP classes can be found here, somehow this content is "outdated", but there's a ton more settings to review if needed.
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/rsop-wmi-classes

Cheers

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.