scipag / HardeningKitty

HardeningKitty - Checks and hardens your Windows configuration
MIT License
1.33k stars 166 forks source link

Add new finding #22

Open SecurityWho opened 2 years ago

SecurityWho commented 2 years ago

Hello all!

this is not really an issue - but I would like to know if it is possible to add a new finding and if yes how.

I want to check if the powershell executionpolicy on the endpoint is set to the microsoft default "restricted" or something different.

PS C:\Users\SecurityWho> Get-ExecutionPolicy                                                                        
Restricted
0x6d69636b commented 2 years ago

Hi there,

The easy way is to add another finding to your favourite list like so:

12345,PowerShell,"Turn on Script Execution (Execution Policy)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy,,,,,RemoteSigned,=,Medium
SecurityWho commented 2 years ago

Thanks, this is what I need - I think :-)

I created an custom list with copy paste from other ones, it seems not to work. Is there a way to debug that?

hardeningKITTY_WIN10_Maschine_custom_v1r2.csv

After execution it looks like the list is read - but not checked. I tried it with and without admin rights. The default lists are working just fine.

PS C:\Users\SecurityWho> Import-Module "C:\custom-System-Audit\HardeningKITTY\hardeningKITTY.ps1"
PS C:\Users\SecurityWho> Invoke-HardeningKitty  -Mode Audit -Log -Report -FileFindingList "C:\custom-System-Audit\HardeningKITTY\files\SecurityWho\hardeningKITTY_WIN10_Maschine_custom_v1r2.csv"

      =^._.^=
     _(      )/  HardeningKitty 0.8.0-1660481591

[*] 10/27/2022 1:44:53 PM - Starting HardeningKitty

[*] 10/27/2022 1:44:53 PM - Getting machine information
[*] Hostname: WIN2022-SRV1
[*] Domain: locdemo.securitywho.tech
[*] Domain role: MemberServer
[*] Install date: 10/20/2022 09:30:33
[*] Last Boot Time: 10/27/2022 13:41:11
[*] Uptime: 00:03:42.4584132
[*] Windows: Windows Server 2022 Datacenter
[*] Windows edition: ServerDatacenter
[*] Windows version: 2009
[*] Windows build: 20348.1.amd64fre.fe_release.210507-1500
[*] System-locale: en-US
[*] Powershell Version: 5.1

[*] 10/27/2022 1:44:58 PM - Getting user information
[*] Username: LOCDEMO\SecurityWho
[*] Is Admin: False

[*] 10/27/2022 1:44:58 PM - Starting Category
[*] ID SecW-133701,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133702,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133703,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133704,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133705,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133706,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High, , Result=, Recommended=, Severity=
[*] ID SecW-133707,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133708,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,3,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133709,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,=,Medium, , Result=, Recommended=, Severity=
[*] ID SecW-133710,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium, , Result=, Recommended=, Severity=
 <SNIP>

[*] 10/27/2022 1:45:07 PM - HardeningKitty is done
[*] 10/27/2022 1:45:07 PM - Your HardeningKitty score is: 1. HardeningKitty Statistics: Total checks: 0 - Passed: 0, Low: 0, Medium: 0, High: 0.
0x6d69636b commented 2 years ago

HardeningKitty has issues to parse your CSV file. I highlighted some issues, the tabs at the end of a row and the quotes starting and ending of a row. What editor did you use to combine the finding lists? image

SecurityWho commented 2 years ago

Thanks! That was the issue. The Quotes around the ID I added myself and some more random quotes where added by excel - because the first couple where copied via Excel the rest was done via Notepad++.

I hope only one more last issue. It seems like not all findings are producing an result. For example also the powershell finding you created for me and I also coudn't find the path in the registry at all. Is this normal that some of them are not showing an result? If yes, could there be an reason shown?

Attached you'll find the scriptoutput and the reportfile

Many thanks for your help again! :) output-ps.txt HardeningKitty_Report_latest-v2.xlsx

0x6d69636b commented 2 years ago

Yes, it can be normal that an item does not show a result. Some items have a registry path like Software\Policies* and if there is no policy configured (state not configured in gpedit) than the registry entry does not exist and the result is blank. In some cases I have additional checks to get the current state (like for Microsoft Defender or the Windows Firewall) but not for the execution policy. The execution policy is a tricky one, because it can differ from machine, user and session, therefore it is not easy to catch, if there is no policy. I can check if there is a reliable way to get the correct setting