Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Microsoft Windows 10 Enterprise Release 21H2 Benchmark v1.12.0 / @Rebits

Rebits commented 1 year ago

Related Issue
https://github.com/wazuh/wazuh/issues/13191

Description

Windows 10 SCA policies have been updated https://github.com/wazuh/wazuh/issues/13191. On this account, It is necessary to ensure that these policies fit with the CIS Windows 10 Enterprise Release 21H2 Benchmark v1.12.. Also, manual testing for the used SCA rules is required, ensuring the proposed rules work as expected.

OS: Windows 10 Enterprise
SCA policy file: https://github.com/wazuh/wazuh/blob/83a39381f06965015363b09d4fbcc4fd150fb007/ruleset/sca/windows/cis_win10_enterprise.yml

For each check in the SCA policy checks:

The title, description, rationale, compliance and remediation must correspond to the ones in the check of the corresponding CIS benchmark file found in https://downloads.cisecurity.org/#/.
The check command found in the CIS benchmark file should work as expected and must match the rule specified in the check of the yml file.

The installers must also be tested:

Check the scan is executed automatically when installing.
Check the scan result.

Checks

Checks design

Check ID	Check Category	Description	ID/Title/Description/Rationable	Remediation	Compliance	Rules	Artifact
id	Category	Description	:black_circle:	:black_circle:	:black_circle:	:black_circle:	Artifact

All test results must have one of the following statuses:
:green_circle:	All checks passed.
:red_circle:	There is at least one failed result.
:yellow_circle:	There is at least one expected failure or skipped test and no failures.
:black_circle:	Not tested.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Checks lists

Conclusions :red_circle:

It has detected errors in all policy checks. Among these errors are discrepancies in the Description, Title, Rationale and Remediation fields and also errors in proposed rules. In order to make easy the developer's task, I have created a PR with proposed changes. This PR included fixes for all the fields that should be analyzed and discussed by developers.

We can break down the proposed fixes into:

YAML formatting fix: The file did not conform to a consistent style.
Controls versions update : Controls versions of every check were outdated or wrong.
CIS ID correction: Some CIS ID were wrong. These were correct according to CIS Benchmarks
Fix discrepancies with CIS Benchmark for Description/Rationale/Remediation values.
Fix discrepancies with CIS Benchmarks for Title values.
Description/Rationale/Remediation consistency: Along with fixing inconsistencies with the CIS Benchmark files, it has been added consistency to all fields of the compliance file. Now, Notes and recommended values are included in all checks and not for only some of them.
Increase rules coverage: It has included changes in rules to include Default values and Not configured cases.
Creating custom SCA policies documentation is incomplete. Windows Registry syntax does not contemplate regex and there is no proposed useful example.
Export in CSV option return does not respect expected order.

In addition, general suggestions are proposed:

Make checks field consistent in all policies when proceeding: Some policies include fields like references, level or more rich compliance (containing control versions, nist_800_53, pci_dss). These fields should be consistent in all the policies Include impact value.
Make compliance CIS to String: This field is unique, so I suggest changing it to String instead of List. Enrich rule syntax: Some of the checks can not contemplate every scenario due to syntax being too limited. I suggest including richer syntax.

Metodology

During the testing process, I developed some tools to help with manual testing. These should be taken into account to make automatic/semiautomatic testing in the future, or even they could be considered to include some of the missing fields specified in the suggestions.

PDF parsing

A basic python script was developed to transform the PDF into a JSON with all fields. This could be improved to include all CIS Benchmarks and not only Windows10 Final JSON file: [cis_win10_automated]()

Detection of Tittle/Description/Rationale/Remediation dyscrepancies

In order to detect discrepancies with the CIS Benchmark file in `Tittle/Description/Rationale/Remediation`, I have created a test in pytest to ensure every field consistency. This, use the JSON file obtained in the `PDF parsing` step. This could be improved in order to cover the rest of the CIS benchmarks policies. Test CIS win10: ``` import pytest import json import yaml # @pytest.fixture(scope="module") def load_cis_data(): with open('cis_win10_automated.json') as f: data = json.loads(f.read()) return data # @pytest.fixture(scope="module") def load_policy_data(): with open('cis_win10_enterprise.yaml') as f: data = yaml.load(f.read()) return data cis_data = load_cis_data() policy_data = load_policy_data()['checks'] fields = ['title', 'description', 'remediation', 'rationale'] @pytest.mark.parametrize('check', policy_data ) @pytest.mark.parametrize('field', fields ) def test_cis_win10(check, field): policy_cis_id = check['compliance'][0]['cis'][0] assert cis_data[policy_cis_id][field] == check[field], f"Discrepancy in id {check['id']}" ``` Report: [CIS_WIN10_DISCREPANCIES.zip](https://github.com/wazuh/wazuh-qa/files/9054068/CIS_WIN10_DISCREPANCIES.zip)

CIS Win 10 events in Wazuh-Dashboard

At first, It has been proposed to create a Cypress test, that will ensure that it has produced events for all the checks, making a screenshot of the Events panel. However, this approach is too slow for this policy, due to this including more than 300 checks. For this reason, is proposed to use Selenium to get the exported list of checks for this policy and use a test in pytest to ensure every field is correctly shown. A [PoC of a E2E has](https://github.com/wazuh/wazuh-qa/issues/3081#issuecomment-1179156462) been proposed in which we ensure that all checks of this policy have been executed and that all its fields are consistent. However, it seems that `sca_win_audit` does not fit the [basic schema](https://github.com/wazuh/wazuh-qa/issues/3081#issuecomment-1179156462)

Comparision

If we apply all suggestion we can see that the number of Not applied cases decrease drastically by taking into account Not configured and default values #### Previous policy version ![appli](https://user-images.githubusercontent.com/11089305/178031234-c9472c7b-232f-4b84-8f7f-16be424c653f.png) #### New policy version ![new](https://user-images.githubusercontent.com/11089305/178031285-593c4df7-6387-4979-8b90-55c5a130de3c.png) It has not detected a meaningful increase in SCA scan time. However further research is required.

Rebits commented 1 year ago

Checks - Block 1 :red_circle:

Rebits commented 1 year ago

Check - Block 2 :red_circle:

Rebits commented 1 year ago

Check - Block 3 :red_circle:

Rebits commented 1 year ago

Global checks

Installer use `cis_win10_enterprise` policy :green_circle:

Windows Wawzuh agent installer loads correctly the right policies and launches them correctly at agent start. ![policies_installer2](https://user-images.githubusercontent.com/11089305/175289242-c819364b-5bda-4ede-b923-d2c4512f7cd2.png) ![policies_installer](https://user-images.githubusercontent.com/11089305/175289248-b388e63e-1fbb-4539-ad93-801b9153c3c0.png)

Checks IDs are consistent :green_circle:

Consistency means that checks are ordered sorted from least to greatest by their ids. In this case we can check easily this using the following command: ``` cat ruleset/sca/windows/cis_win10_enterprise.yml | grep "\- id" | cut -d':' -f2 | tr -d ' ' > f1 seq 15000 15393 > f2 diff f1 f2 ```

YAML format :red_circle:

[YAML](https://github.com/wazuh/wazuh/blob/83a39381f06965015363b09d4fbcc4fd150fb007/ruleset/sca/windows/cis_win10_enterprise.yml) file contains minor style errors. **Proposed patch**: [yaml_cis_win10_enterprise_format.zip](https://github.com/wazuh/wazuh-qa/files/8974457/yaml_cis_win10_enterprise_format.zip)

Compliance fields inconsistency :red_circle:

Some compliance fields are present in some checks but not in most of them: `pci_dss` `nist_800_53`, `gpg13`, `gdpr_IV`, `hipaa`, `tsc`. It should be checked if these fields' absence is correct.

Compliance control version wrong or outdated :red_circle:

Most of the checks compliance has the field control version (`cis_csc`) outdated (V7). Also, some of them have the wrong V7 version. After talking with @72nomada, we have concluded that the best approach will be to create two fields (`cis_csc_7` and `cis_csc_8`) and this will be implemented in the future. **For now, the correct `cis_csc` should be the V8.** > Note: Proposed patch https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568

Reference field inconsistency :red_circle:

The reference field is present only in some checks. Also, where is this reference field get? It represents a common configuration enumeration, but this reference is difficult to find,

Use of / instead of \ in the remediation field (outdated) :red_circle:

``` Some remediation fields use `/` instead of `\` for Windows paths ```

Rebits commented 1 year ago

Some of the error detected in this commentary were fixed in ad7f8f8, 6dd9c4a. Second revision is required

1.1 Password Policy :red_circle:

1.1.1 L1) Ensure 'Enforce password history' is set to '24 or more password(s)' :red_circle:

Severity: Medium
[x] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :red_circle:: **Expected remediation**: ``` Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history ``` **Current remediation**: ``` Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy/Enforce password history ``` - Compliance - :red_circle: **Expected cis_csc** ``` 5.2 ``` **Current cis_csc** ``` 16 (16.2 is the correct version in v7) ``` - Rules - :green_circle: - Expected scan result: `FAIL` - Logs: ``` PS C:\Users\vagrant> net.exe accounts Force user logoff how long after time expires?: Never Minimum password age (days): 0 Maximum password age (days): 42 Minimum password length: 0 Length of password history maintained: None Lockout threshold: Never Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: WORKSTATION The command completed successfully. ```

1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' :red_circle:

Severity: Medium
[x] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected remediation** ``` To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0 ``` **Current remediation** ``` To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age ``` - Compliance - :red_circle: **Expected cis_csc** ``` 5.2 for V8 ``` **Current cis_csc** ``` 16.1.0 (correct V7 cis_csc is 16.10) ``` - Rules - - Expected scan result: `FAIL` - Logs: Same as 1.1.1

1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected description** ``` This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.The recommended state for this setting is: 1 or more day(s)). ``` **Current description** ``` This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.The recommended state for this setting is: 1 or more day(s)) ``` **Expected remediation** ``` To establish the recommended configuration via GP, set the following UI path to 1 or more day(s):Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age ``` **Current remediation** ``` To establish the recommended configuration via GP, set the following UI path to 1 or more day(s):Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy/Minimum password age ``` - Compliance - :red_circle: **Expected cis_csc** ``` 5.2 ``` **Current cis_csc** ``` 16.1.0 (the correct version in V7 is 16.10) ``` - Rules - - Expected scan result: `FAIL` - Execution: Same as 1.1.1

1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Expected rationale** ``` Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords. ``` **Current rationale** ``` Types of password attacks include dictionary attacks (which attempt to use common words 'and phrases) and brute force attacks (which try every possible combination of characters). 'Also, attackers sometimes try to obtain the account database so they can use tools to 'discover the accounts and passwords ``` **Expected remediation** ``` To establish the recommended configuration via GP, set the following UI path to '14 or more character(s)':Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length ``` **Current remediation** ``` "To establish the recommended configuration via GP, set the following UI path to 14 or 'more character(s):'Computer Configuration/Policies/Windows Settings/Security Settings/Account 'Policies/Password Policy/Minimum password length' ``` Bad single quotes and / instead of \ - Compliance - :red_circle: **Expected cis_csc*** ``` 5.2 ``` **Current cis_csc** ``` 16.1.0 (the correct v7 cis_csc is 16.2 and 4.4 ) ``` - Rules - - Execution: Same as 1.1.1 - Expected scan result: `FAIL`

1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Incomplete description** Only the first paragraph is included **Expected rationale** ``` Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools. ``` ** Current rationale ** ``` Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools. ``` **Expected remediation** ``` To establish the recommended configuration via GP, set the following UI path to Enabled:Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements ``` **Current remediation** ``` To establish the recommended configuration via GP, set the following UI path to Enabled:Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy/Password must meet complexity requirements ``` - Compliance - :red_circle: **Expected cis_csc** ``` 5.2 (V8) ``` **Current cis_csc** ``` "16.2","4.4" (V7) ``` - Rules - :red_circle: - Expected scan result: `FAIL` - Log: ``` PS C:\Users\vagrant> powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser Get-ADDefaultDomainPasswordPolicy : The term 'Get-ADDefaultDomainPasswordPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-ADDefaultDomainPasswordPolicy:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException ``` Module not found

1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" :red_circle:

Severity: Hight
[ ] Fixed
[ ] Second review

Details
- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Typo in description** ``` For more information please see the following Microsoft Security Blog ``` **Remediation** Use of / instead of \ - Compliance - :red_circle: **Not defined cis_csc** - Rules - - Not key existance validation - Not aaplied for insecure default configuration ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM' ``` - Expected scan result: `FAIL`

Checks appears at wazuh-dashboard :green_circle:

dashboard-images.zip

Rebits commented 1 year ago

Update 24/06/2022

In order to make the process faster, I have created a custom script to detect actual compliance control version (Check Compliance control version wrong or outdated) Most of these values were outdated or wrong. I index the patch with all the changes in this commentary: copliance_fix.zip This patch also includes the yaml format fix proposed in https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1164285703 (YAML format section)

For now, future checks will review compliance taking into account these changes instead. The rest of the fields will be checked as usual

Rebits commented 1 year ago

1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s) :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: **Typo in rationale `theAccount`** ``` A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure theAccount lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually." ```

Compliance - :red_circle:: Check commentary

Rules - :green_circle:

Output:


PS C:\Users\vagrant> net.exe accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

PS C:\Users\vagrant>

    - Expected scan result: `PASS`:
</details>

### 1.2.2 Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Description: no '.' at the end

This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold


**Bad remediation**

"To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid login attempt(s), but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold"


Expected:

To establish the recommended configuration via GP, set the following UI path to 5 or fewer invalid login attempt(s), but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold"



- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - 
    - Output: Same as 1.2.1
    - Expected scan result: `FAIL`:
</details>

### 1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - 
    - Output: Same as 1.2.1
    - Expected scan result: `PASS`:
</details>

### Checks appears at wazuh-dashboard  :green_circle:  

[1.2.zip](https://github.com/wazuh/wazuh-qa/files/8999816/1.2.zip)

Rebits commented 1 year ago

2.3.1.1 Ensure 'Accounts: Administrator account status' is set to 'Disabled' :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
- ID - :green_circle: - Title, description, rationale, remediation - :green_circle:

Compliance - :red_circle:: Check commentary

Rules -

Output:


PS C:\Users\vagrant> net user administrator
User name                    Administrator
Full Name
Comment                      Built-in account for administering the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               No
Account expires              Never

Password last set 5/17/2022 7:54:40 AM Password expires Never Password changeable 5/17/2022 7:54:40 AM Password required Yes User may change password Yes

Workstations allowed All Logon script User profile Home directory Last logon 3/25/2022 3:48:47 AM

Logon hours allowed All

Local Group Memberships Administrators Global Group memberships None The command completed successfully.

    - Expected scan result: `PASS`:
</details>

### 2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Error in tittle - Expected `'` at the end**

Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: - Set incorrectly to not applied 
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `FAIL`:
</details>

### 2.3.1.3 Ensure 'Accounts: Guest account status' is set to 'Disabled' :red_circle:

- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - 
    - Output:

PS C:\Users\vagrant> net user guest User name Guest Full Name Comment Built-in account for guest access to the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never

Password last set 6/28/2022 9:59:28 AM Password expires Never Password changeable 6/28/2022 9:59:28 AM Password required No User may change password No

Workstations allowed All Logon script User profile Home directory Last logon Never

Logon hours allowed All

Local Group Memberships Guests Global Group memberships None The command completed successfully.

    - Expected scan result: `PASS`:
</details>

### 2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Error in remediation - ' .' at the end **

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only.

- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: - Default value is enabled, it will be marked as not applied
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\L sa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `PASS`:
</details>

### 2.3.1.5 Configure 'Accounts: Rename administrator account' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :green_circle:
    - Output:

PS C:\Users\vagrant> net user administrator User name Administrator Full Name Comment Built-in account for administering the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never

Password last set 5/17/2022 7:54:40 AM Password expires Never Password changeable 5/17/2022 7:54:40 AM Password required Yes User may change password Yes

Workstations allowed All Logon script User profile Home directory Last logon 3/25/2022 3:48:47 AM

Logon hours allowed All

Local Group Memberships Administrators Global Group memberships None The command completed successfully.

    - Expected scan result: `FAIL`:
</details>

### 2.3.1.6 Configure 'Accounts: Rename guest account' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - 
    - Output: :green_circle:

PS C:\Users\vagrant> net user guest User name Guest Full Name Comment Built-in account for guest access to the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never

Password last set 6/28/2022 10:09:19 AM Password expires Never Password changeable 6/28/2022 10:09:19 AM Password required No User may change password No

Workstations allowed All Logon script User profile Home directory Last logon Never

Logon hours allowed All

Local Group Memberships Guests Global Group memberships None The command completed successfully.

    - Expected scan result: `FAIL`:
</details>

### 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules -  :red_circle: - Expected PASS status but will be marked as not applied - Default value is Enabled
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\L sa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


    - Expected scan result: `PASS`:
</details>

### 2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\L sa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `PASS`:
</details>

### 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Error in title**

Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'

**Error in description**

This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators.

Expected

This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 126092897123 ShutdownFlags : 7 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-2383466009-3940392604-4156099882-1001 LastUsedUsername : vagrant DefaultDomainName : DefaultUserName : vagrant AutoAdminLogon : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `PASS`:
</details>

### 2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Error in rationale**
Expected

It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network.


Current rationale

It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network.


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of red
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers'

AddPrinterDrivers : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Provi ders\LanMan Print Services\Servers PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Provi ders\LanMan Print Services PSChildName : Servers PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


    - Expected scan result: `FAIL`:
</details>

### 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'

DisablePasswordChange : 0 MaximumPasswordAge : 30 RequireSignOrSeal : 1 RequireStrongKey : 1 SealSecureChannel : 1 ServiceDll : C:\Windows\system32\netlogon.dll SignSecureChannel : 1 Update : no PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


    - Expected scan result: `PASS`:
</details>

### 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output: Same as 2.3.6.1
    - Expected scan result: `PASS`:
</details>

### 2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Error in remediation - Extra ' .' at the end of the field**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible).

 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output: Same as 2.3.6.1
    - Expected scan result: `PASS`:
</details>

### 2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output: Same as 2.3.6.1
    - Expected scan result: `PASS`:
</details>

### 2.3.6.5 Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :green_circle: 
    - Output:

PS C:\Users\vagrant> net.exe accounts Force user logoff how long after time expires?: Never Minimum password age (days): 0 Maximum password age (days): 42 Minimum password length: 0 Length of password history maintained: None Lockout threshold: Never Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: WORKSTATION The command completed successfully.

    - Expected scan result: `FAIL`:
</details>

### 2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of pass
    - Output: Same as 2.3.6.1
    - Expected scan result: `PASS`:
</details>

### 2.3.7.1 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected description**

This policy setting determines whether users must press CTRL+ALT+DEL before they log on.The recommended state for this setting is: Disabled.

**Current description**

Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path.


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle:  - In case of not setting this policy, it will be marked as not applied instead of fail
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `FAIL`
</details>

### 2.3.7.2 Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in

**Current remediation**

"To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: - In case of not setting this policy, it will be marked as not applied instead of fail
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `FAIL`
</details>

### 2.3.7.3 Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected description**

This security setting determines the number of failed logon attempts that causes the machine to be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled.

**Current description**

This security setting determines the number of failed logon attempts that causes the machine to be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. The recommended state for this setting is: 10 or fewer invalid logon attempts, but not 0.


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: - Multiple errors:
-  In case of not setting this policy, it will be marked as not applied instead of fail
- Rule match for `MaxDevicePasswordFailedAttempts <= 30` but is is required  `<=10`
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `FAIL`
</details>

### 2.3.7.4  Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit

**Current remediation**

To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit.

 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: - In case of not setting this policy, it will be marked as not applied instead of fail
    - Output: Same as 2.3.7.3
    - Expected scan result: `FAIL`
</details>

### 2.3.7.5  Configure 'Interactive logon: Message text for users attempting to log on' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected rationale**

Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.

**Current rationale**

Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited

 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :green_circle:
    - Output:

PS C:\Users\vagrant> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticetext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system legalnoticetext REG_SZ

    - Expected scan result: `FAIL`
</details>

### 2.3.7.6  Configure 'Interactive logon: Message title for users attempting to log on'  :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected description**

This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.

**Current description (extra whitespace at end of the field)**

This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.


**Expected rationale**

Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process.


**Current rationale**

Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process.


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :green_circle:
    - Output:

PS C:\Users\vagrant> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticecaption

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system legalnoticecaption REG_SZ


    - Expected scan result: `FAIL`
</details>

### 2.3.7.7  Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of failed 
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 126092897123 ShutdownFlags : 7 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-2383466009-3940392604-4156099882-1001 LastUsedUsername : vagrant DefaultDomainName : DefaultUserName : vagrant AutoAdminLogon : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

PS C:\Users\vagrant>

    - Expected scan result: `FAIL`
</details>

### 2.3.7.8 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of failed 
    - Output: Same as 2.3.7.7
    - Expected scan result: `FAIL`
</details>

### 2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of failed 
    - Output: Same as 2.3.7.7
    - Expected scan result: `FAIL`
</details>

### 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of failed 
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'

EnablePlainTextPassword : 0 EnableSecuritySignature : 1 RequireSecuritySignature : 0 ServiceDll : C:\Windows\System32\wkssvc.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

    - Expected scan result: `FAIL`
</details>

### 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of pass 
    - Output: Same as 2.3.8.1
    - Expected scan result: `FAIL`
</details>

### 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of pass 
    - Output: Same as 2.3.8.1
    - Expected scan result: `FAIL`
</details>

### 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s) :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected description**

This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s).

**Current description**

"This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0."


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of pass

    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


    - Expected scan result: `PASS`
</details>

### 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of fail
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


    - Expected scan result: `FAIL`
</details>

### 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of fail
    - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


    - Expected scan result: `FAIL`
</details>

### 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of pass
    - Output: Same as 2.3.9.3
    - Expected scan result: `FAIL`
</details>

### 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :green_circle:
 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :red_circle: In case of not define this policy state will be Not applied instead of fail
    - Output: Same as 2.3.9.3
    - Expected scan result: `FAIL`
</details>

### 2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name  translation' is set to 'Disabled' :red_circle:
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

 - ID - :green_circle:
 - Title, description, rationale, remediation - :red_circle:
**Expected description**

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name.

**Current description**

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name

**Expected rationale**

If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack.


**Current rationale**

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name


 - Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
 - Rules - :yellow_circle: If `LSAAnonymousNameLookup` not defined, it will be marked as Not applicable instead of failed (default value Enabled)

    - Output:

C:\Users\vagrant>powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()" 1

    - Expected scan result: `FAIL`

</details>

### 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' 
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected rationale**

An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)


**Current rationale**

An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:: In case of not defining registry value, the check will be marked as Not applicable instead of pass
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `PASS`

</details>

### 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'  :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
** Expected rationale **

An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)


**Current rationale**

An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:: In case of not defining registry value, the check will be marked as Not applicable instead of fail
  - Output: Same as 2.3.10.2
  - Expected scan result: `FAIL`

</details>

### 2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'  :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:: In case of not defining registry value, the check will be marked as Not applicable instead of fail
  - Output: Sames as 2.3.10.2
  - Expected scan result: `PASS`

</details>

### 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' 
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:: In case of not defining registry value, the check will be marked as Not applicable instead of pass
  - Output:
  - Expected scan result: `PASS`

</details>

### 2.3.10.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' 
- Severity: `Low` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.10.7 Ensure 'Network access: Remotely accessible registry paths' 
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected tittle**

Ensure 'Network access: Remotely accessible registry paths' is configured

**Current tittle**

Ensure 'Network access: Remotely accessible registry paths'


**Expected description**

This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and subpaths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)."


**Current description**

This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)."


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths'

Machine : {System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg PSChildName : AllowedExactPaths PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `PASS`

</details>

### 2.3.10.8 Ensure 'Network access: Remotely accessible registry paths and sub-paths' 
- Severity: `Medium` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected tittle**

Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured

**Current tittle**

Ensure 'Network access: Remotely accessible registry paths and sub-paths'

**Expected description**

This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called ' Network access: Remotely accessible registry paths' , the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog"


**Current description**

This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog"


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'

Machine : {System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg PSChildName : AllowedPaths PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `PASS`

</details>

### 2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' 
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

 - Rules - :red_circle: - In case of not setting this policy, it will be marked as not applied instead of pass

  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {a} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `PASS`

</details>

### 2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'  :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: In case of not setting this policy, it will be marked as not applied instead of fail
  - Output:

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.10.11 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' 
- Severity: `Medium` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected rationale**

It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data.


**Current rationale**

It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: In case of not setting this policy, it will be marked as not applied instead of pass
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {a} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `PASS`

</details>

### 2.3.10.12 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'  :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: In case of not setting this policy, it will be marked as not applied instead of pass
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `PASS`

</details>

### 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' 
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: In case of not setting this policy, it will be marked as not applied instead of fail
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' 
- Severity: `High` :red_circle:
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: In case of not setting this policy, it will be marked as not applied instead of pass
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'

Auth132 : IISSUBA NtlmMinClientSec : 536870912 NtlmMinServerSec : 536870912 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSChildName : MSV1_0 PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: - Not defined and disabled by default. If this policy is not changed this will produce a false positive. Change to condition any and negate the first rule
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' Get-ItemProperty : Cannot find path 'HKLM:\System\CurrentControlSet\Control\Lsa\pku2u' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\System\Cu...ntrol\Lsa\pku2u:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```
- Expected scan result: `PASS`

2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected tittle

Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'

Current tittle

Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'

Expected description

This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it.

Current description

This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting.

Compliance - :red_circle:: Check commentary

Rules - :red_circle:: Default value RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. However not applicable is the final scan result due to registry does not exists.

Output:


PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
Get-ItemProperty : Cannot find path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\Software\...eros\Parameters:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

PS C:\Users\vagrant\AppData>

  - Expected scan result: `FAIL`

</details>

### 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'  :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: - In case of not define this policy not applicable result will be set instead of pass.
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**

This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it.


**Current description**

This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: - In case of not define this policy not applicable result will be set instead of pass.
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {a} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {233, 18, 141, 197...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer \Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: - Final status not applicable, expected pass
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 680 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 scenoapplylegacyauditpolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - In case of ldapclientintegrity is not defined the result will be no applicable result instead of pass
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP'

ldapclientintegrity : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services PSChildName : LDAP PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:  - Not applicable in case of registry not defined instead of fail
  - Output:

PS C:\Users\vagrant\AppData> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'

Auth132 : IISSUBA NtlmMinClientSec : 536870912 NtlmMinServerSec : 536870912 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSChildName : MSV1_0 PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


  - Expected scan result: `FAIL`

</details>

### 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:  - Not applicable in case of registry not defined instead of fail
  - Output: Same as 2.3.11.10
  - Expected scan result: `FAIL`

</details>

Rebits commented 1 year ago

29/06/2022

In order to make it easier to track all requested changes and apply them to https://github.com/wazuh/wazuh/issues/13191, I have created 13191-Update-Win10-SCA-vr-qa with most of these changes.

Rebits commented 1 year ago

2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected tittle

Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher

Current tittle

Ensure 'System cryptography: Force strong key protection  for user keys stored on the computer' is set to 'User is prompted when  the key is first used' or higher

Expected description

This policy setting determines whether users' private keys (such as their S-MIME keys)
require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark.

Current description

Ensure 'System cryptography: Force strong key protection  for user keys stored on the computer' is set to 'User is prompted when  the key is first used' or higher

Expected rationale

If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from  their domain password every time they use a key. This configuration makes it more  difficult for an attacker to access locally stored user keys, even if the attacker takes control  of the user's computer and determines their logon password.

Current rationale

If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can  configure this policy setting so that users must provide a password that is distinct from  their domain password every time they use a key. This configuration makes it more  difficult for an attacker to access locally stored user keys, even if the attacker takes control  of the user's computer and determines their logon password.

Expected remediation

To establish the recommended configuration via GP, set the following UI path to User is  prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local  Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer

Current remediation

To establish the recommended configuration via GP, set the following UI path to User is  prompted when the key is first used (configuring to User must enter a password  each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local  Policies\\Security Options\\System cryptography: Force strong key protection  for user keys stored on the computer

Compliance - :red_circle:: Check commentary

Rules - :red_circle: - Scan result Not applicable - Expected FAIL

Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography'  
PS C:\Users\vagrant>

Expected scan result: FAIL

2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non-Windows subsystems.

Current remediation

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non -Windows subsystems.

Compliance - :red_circle:: Check commentary

Rules - :red_circle: Not applicable when policy is not set - Expected PASS

Output:

DpcWatchdogProfileOffset         : 10000
ObUnsecureGlobalNames            : {netfxcustomperfcounters.1.0, SharedPerfIPCBlock, Cor_Private_IPCBlock,
                           Cor_Public_IPCBlock_}
SeTokenSingletonAttributesConfig : 3
obcaseinsensitive                : 1
PSPath                           : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Cont
                           rol\Session Manager\Kernel
PSParentPath                     : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Cont
                           rol\Session Manager
PSChildName                      : Kernel
PSDrive                          : HKLM
PSProvider                       : Microsoft.PowerShell.Core\Registry

Expected scan result: FAIL

2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle:: Check commentary
Rules - :red_circle: Not applicable when policy is not set - Expected PASS
- Output: Same as 2.3.15.1
- Expected scan result: FAIL

2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle:: Check commentary

Rules - :red_circle: Not applicable - Expected FAIL

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : fdsafsa scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 2.3.17.2 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected FAIL
  - Output: Same as 2.3.17.1
  - Expected scan result: `FAIL`

</details>

### 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected FAIL
  - Output: Same as 2.3.17.1
  - Expected scan result: `FAIL`

</details>

### 2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation


**Current remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected FAIL
  - Output: Same as 2.3.17.1
  - Expected scan result: `FAIL`

</details>

### 2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
Not consistent with the rest of the checks. If dots in CIS document are trasncript into ' -' this should be general in all the file

**Expected description**

This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - \Program Files\, including subfolders; - \Windows\system32\; - \Program Files (x86)\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled.


**Current description**

This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\Program Files\, including subfolders; ...\Windows\system32\; ...\Program Files (x86)\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled.


**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations


**Current remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected PASS
  - Output: Same as 2.3.17.1
  - Expected scan result: `PASS`

</details>

### 2.3.17.6 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode


**Current remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode.

- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected PASS
  - Output: Same as 2.3.17.1
  - Expected scan result: `FAIL`

</details>

### 2.3.17.7 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' :red_circle:
- Severity: `High`
- [x] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

**Current remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected PASS
  - Output: Same as 2.3.17.1
  - Expected scan result: `PASS`

</details>

### 2.3.17.8 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' :red_circle:
- Severity: `Medium`
- [x] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations

**Current remediation**

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations.



- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: Not applicable when no policy is set - Expected PASS
  - Output: Same as 2.3.17.1
  - Expected scan result: `PASS`

</details>

Rebits commented 1 year ago

5.1 Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected tittle

Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set  to 'Disabled'

Current tittle

(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set  to 'Disabled'

Expected description

Service supporting the audio gateway role of the Bluetooth Handsfree Profile.The recommended state for this setting is: Disabled.

Current description

Service supporting the audio gateway role of the Bluetooth Handsfree Profile.

Expected rationale

Bluetooth technology has inherent security risks - especially prior to the v2.1 standard.  Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment,  it should not be permitted, in spite of the added inconvenience of not being able to use  Bluetooth devices.

Current rationale

Bluetooth technology has inherent security risks - especially prior to the v2.1 standard.  Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment,  it should not be permitted, in spite of the added inconvenience of not being able to use  Bluetooth devices.

Compliance - :red_circle:: Check commentary
Rules - :green_circle: In some versions of W10 BTAGService is not defined, so in this case if that registry does not exist it will be necessary to apply Not applicable. No changes are needed.
- Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService'

DependOnService : {rpcss} Description : @%SystemRoot%\system32\BTAGService.dll,-102 DisplayName : @%SystemRoot%\system32\BTAGService.dll,-101 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGServi ce PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : BTAGService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.2 Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected tittle**

Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'

**Current tittle**

(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'


**Expected description**

The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled.

**Current description**

The Bluetooth service supports discovery and association of remote Bluetooth devices


**Expected rationale**

Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices.

**Current rationale**

: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices."


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:  Not applicable in case of policy is not defined - Expected FAIL
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv'

Description : @%SystemRoot%\System32\bthserv.dll,-102 DisplayName : @%SystemRoot%\System32\bthserv.dll,-101 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\bthserv PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es PSChildName : bthserv PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.4 Ensure 'Downloaded Maps Manager (MapsBroker)' is set to  'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle:  Not applicable in case of policy is not defined - Expected FAIL
  - Output:

DelayedAutoStart : 1 DependOnService : {rpcss} Description : @%SystemRoot%\System32\moshost.dll,-101 DisplayName : @%SystemRoot%\System32\moshost.dll,-100 ErrorControl : 1 Group : NetworkService ImagePath : C:\Windows\System32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeImpersonatePrivilege} ServiceSidType : 1 Start : 2 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\MapsBroker PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es PSChildName : MapsBroker PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.5 Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'


**Expected description**

This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled.


**Current description**

This service monitors the current location of the system and manages geofences (a geographical location with associated events).


**Expected remediation**

To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Geolocation Service"


**Current remediation**

To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Geolocation Service "


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: - Bad rule same as 5.4. Expected rule is:

  - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc'
  - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start'
  - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4'º

  - Output: (Correct command)

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc'

DependOnService : {RpcSs} Description : @%SystemRoot%\System32\lfsvc.dll,-2 DisplayName : @%SystemRoot%\System32\lfsvc.dll,-1 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lfsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es PSChildName : lfsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


  - Expected scan result: `FAIL`

</details>

### 5.6 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not  Installed :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected description**

Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed.Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise.


**Current description**

Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services


**Expected rationale**

Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS.


**Current rationale**

Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...
- CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu. ..rvices\IISADMIN:String) [Get-ItemProperty], ItemNotFoundE xception
- FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell .Commands.GetItemPropertyCommand

PS C:\Users\vagrant>

  - Expected scan result: `FAIL`

</details>

### 5.7 Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or  'Not Installed' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'


**Current tittle**

Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'


**Expected description**

Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled or Not Installed.


**Current description**

Detects other Infrared devices that are in range and launches the file transfer application


**Expected rationale**

Infrared connections can potentially be a source of data compromise - especially via the automatic file transfer application functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared.


**Current rationale**

Infrared connections can potentially be a source of data compromise - especially via the automatic file transfer application functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: Suggestions, also include check of start value

  - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start'

  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\irmon' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...
- CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu. ..\Services\irmon:String) [Get-ItemProperty], ItemNotFoundE xception
- FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell .Commands.GetItemPropertyCommand
- Expected scan result: FAIL

5.8 Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

Provides network access translation, addressing, name resolution and/or intrusion  prevention services for a home or small office network. The recommended state for this setting is: Disabled.

Current description

Provides network access translation, addressing, name resolution and/or intrusion  prevention services for a home or small office network.

Expected rationale

Internet Connection Sharing (ICS) is a feature that allows someone to share their Internet  connection with other machines on the network - it was designed for home or small office  environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely  bypassing other, more secure pathways. It should not be used on any enterprise-managed system.

Current rationale

Internet Connection Sharing (ICS) is a feature that allows someone to share their Internet  connection with other machines on the network - it was designed for home or small office  environments where only one machine has Internet access - it effectively turns that  machine into an Internet router. This feature causes the bridging of networks and likely  bypassing other, more secure pathways. It should not be used on any enterprise-managed  system.

Compliance - :red_circle:: Check commentary
Rules - :red_circle: - Not applicable in case of not defined register. - Expected FAIL
- Output:

DependOnService : {BFE} Description : @%SystemRoot%\system32\ipnathlp.dll,-107 DisplayName : @%SystemRoot%\system32\ipnathlp.dll,-106 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege, SeLoadDriverPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es PSChildName : SharedAccess PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.9 Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to  'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'


**Expected description**

Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled.


**Current description**

(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'


**Expected rationale**

The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments.


**Current rationale**

The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: - Not applicable in case of not defined register. - Expected FAIL
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc'

DependOnService : {rpcss, lltdio} Description : @%SystemRoot%\system32\lltdres.dll,-2 DisplayName : @%SystemRoot%\system32\lltdres.dll,-1 ErrorControl : 1 FailureActions : {0, 0, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeImpersonatePrivilege, SeChangeNotifyPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lltdsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LO CAL_MACHINE\SYSTEM\CurrentControlSet\Servic es PSChildName : lltdsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.10 Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not  Installed' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'


**Current tittle**

Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' (Automated)


**Expected description**

The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux).


**Current description**

The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestions, include check Start value
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...
- CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu. ..ces\LxssManager:String) [Get-ItemProperty], ItemNotFoundE xception
- FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell .Commands.GetItemPropertyCommand
- Expected scan result: FAIL

5.11 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

Enables the server to be a File Transfer Protocol (FTP) server. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - FTP Server).

Current description

Enables the server to be a File Transfer Protocol (FTP) server

Expected rationale

Hosting an FTP server (especially a non-secure FTP server) from a workstation is an  increased security risk, as the attack surface of that workstation is then greatly increased.

Current rationale

Hosting an FTP server (especially a non-secure FTP server) from a workstation is an  increased security risk, as the attack surface of that workstation is then greatly increased

Compliance - :red_circle:: Check commentary
Rules - :green_circle: - Suggestion: Include check of registry value Start
- Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...
- CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu. ..Services\FTPSVC:String) [Get-ItemProperty], ItemNotFoundE xception
- FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell .Commands.GetItemPropertyCommand
- Expected scan result: FAIL

5.12 Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected tittle

Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to  'Disabled'

Current tittle

(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to  'Disabled'

Expected description

Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled.

Current description

Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices.

Compliance - :red_circle:: Check commentary
Rules - :green_circle: Include check for registry and value
- Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Msiscsi'

Description : @%SystemRoot%\system32\iscsid sc.dll,-5001 DisplayName : @%SystemRoot%\system32\iscsid sc.dll,-5000 ErrorControl : 1 FailureActions : {80, 70, 0, 0...} FailureActionsOnNonCrashFailures : 1 FailureCommand : customScript.cmd Group : iSCSI ImagePath : C:\Windows\system32\svchost.e xe -k netsvcs -p ObjectName : LocalSystem RebootMessage : See Note 3 below RequiredPrivileges : {SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeCr eatePermanentPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Reg istry::HKEY_LOCAL_MACHINE\SYS TEM\CurrentControlSet\Service s\Msiscsi PSParentPath : Microsoft.PowerShell.Core\Reg istry::HKEY_LOCAL_MACHINE\SYS TEM\CurrentControlSet\Service s PSChildName : Msiscsi PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Reg istry

  - Expected scan result: `FAIL`

</details>

### 5.13 Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not  Installed :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected description**

SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows feature (OpenSSH Server).


**Current description**

SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: Suggestion, include check of Start value
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssh' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\ssh' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...
- CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu. ..et\Services\ssh:String) [Get-ItemProperty], ItemNotFoundE xception
- FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell .Commands.GetItemPropertyCommand
- Expected scan result: FAIL

5.14 Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Expected tittle
```
Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'
```

Current tittle

(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'

Compliance - :red_circle:: Check commentary

Rules - :green_circle: Suggestion, include check of Start value

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc'

DependOnService : {p2pimsvc} Description : @%SystemRoot%\system32\pnrpsvc.dll,-8001 DisplayName : @%SystemRoot%\system32\pnrpsvc.dll,-8000 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : PNRPsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.15 Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc'

DependOnService : {p2pimsvc, PNRPSvc} Description : @%SystemRoot%\system32\p2psvc.dll,-8007 DisplayName : @%SystemRoot%\system32\p2psvc.dll,-8006 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : p2psvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.16 Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to'Disabled'


**Current tittle**

(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc'

DependOnService : {p2pimsvc, PNRPSvc} Description : @%SystemRoot%\system32\p2psvc.dll,-8007 DisplayName : @%SystemRoot%\system32\p2psvc.dll,-8006 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : p2psvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


  - Expected scan result: `FAIL`

</details>

### 5.17 Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is setto 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected tittle**

Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is setto 'Disabled


**Current tittle**

(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is setto 'Disabled

- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg'

DependOnService : {pnrpsvc} Description : @%SystemRoot%\system32\pnrpauto.dll,-8003 DisplayName : @%SystemRoot%\system32\pnrpauto.dll,-8002 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoR eg PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : PNRPAutoReg PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.18 Ensure 'Print Spooler (Spooler)' is set to 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>

<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected description**

This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled.


**Current description**

This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled.


**Expected rationale**

In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled. Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service.


**Current rationale**

In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler'

DependOnService : {RPCSS, http} Description : @%systemroot%\system32\spoolsv.exe,-2 DisplayName : @%systemroot%\system32\spoolsv.exe,-1 ErrorControl : 1 FailureActions : {16, 14, 0, 0...} Group : SpoolerGroup ImagePath : C:\Windows\System32\spoolsv.exe ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege...} ServiceSidType : 1 Start : 2 Type : 272 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : Spooler PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.19 Ensure 'Problem Reports and Solutions Control Panel Support(wercplsupport)' is set to 'Disabled'  :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Problem Reports and Solutions Control Panel Support(wercplsupport)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Problem Reports and Solutions Control Panel Support(wercplsupport)' is set to 'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport'

Description : @%SystemRoot%\System32\wercplsupport.dll,-100 DisplayName : @%SystemRoot%\System32\wercplsupport.dll,-101 ErrorControl : 1 ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : localSystem RequiredPrivileges : {SeImpersonatePrivilege, SeTcbPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsup port PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : wercplsupport PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.20 Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:

**Expected tittle**

Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to'Disabled'


**Current tittle**

(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

                 Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto'

DependOnService : {RasAcd} Description : @%Systemroot%\system32\rasauto.dll,-201 DisplayName : @%Systemroot%\system32\rasauto.dll,-200 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : localSystem RequiredPrivileges : {SeImpersonatePrivilege, SeTcbPrivilege, SeIncreaseQuotaPrivilege, SeChangeNotifyPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\RasAuto PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : RasAuto PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.21 Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

           Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv'

DependOnService : {RPCSS, LanmanWorkstation} Description : @%SystemRoot%\System32\SessEnv.dll,-1027 DisplayName : @%SystemRoot%\System32\SessEnv.dll,-1026 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : localSystem RequiredPrivileges : {SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeImpersonatePrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\SessionEnv PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : SessionEnv PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.22 Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'


**Current tittle**

(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService'

DependOnService : {RPCSS} Description : @%SystemRoot%\System32\termsrv.dll,-267 DisplayName : @%SystemRoot%\System32\termsrv.dll,-268 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k NetworkService ObjectName : NT Authority\NetworkService RequiredPrivileges : {SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\TermService PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : TermService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.23 Ensure 'Remote Desktop Services UserMode Port Redirector(UmRdpService)' is set to 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Remote Desktop Services UserMode Port Redirector(UmRdpService)' is set to 'Disabled'


**Current tittle**

Ensure 'Remote Desktop Services UserMode Port Redirector(UmRdpService)' is set to 'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService'

DependOnService : {TermService, RDPDR} Description : @%SystemRoot%\system32\umrdp.dll,-1001 DisplayName : @%SystemRoot%\system32\umrdp.dll,-1000 ErrorControl : 1 FailureActions : {0, 0, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p ObjectName : localSystem RequiredPrivileges : {SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\UmRdpService PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : UmRdpService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.24 Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to'Disabled'


**Current tittle**

Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to'Disabled'


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator'

Description : @%systemroot%\system32\Locator.exe,-3 DisplayName : @%systemroot%\system32\Locator.exe,-2 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\system32\locator.exe ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeChangeNotifyPrivilege} Start : 3 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\RpcLocator PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : RpcLocator PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.25 Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected description**

Enables remote users to view and modify registry settings on this computer.The recommended state for this setting is: Disabled.


**Current description**

Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled.


- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry'

DependOnService : {RPCSS} Description : @regsvc.dll,-2 DisplayName : @regsvc.dll,-1 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k localService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 4 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\RemoteRegistry PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : RemoteRegistry PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.26 Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry'

DependOnService : {RPCSS} Description : @regsvc.dll,-2 DisplayName : @regsvc.dll,-1 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k localService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 4 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\RemoteRegistry PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : RemoteRegistry PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.27 Ensure 'Server (LanmanServer)' is set to 'Disabled' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: - Suggestion: Include check of registry value Start
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer'

DependOnService : {SamSS, Srv2} Description : @%systemroot%\system32\srvsvc.dll,-101 DisplayName : @%systemroot%\system32\srvsvc.dll,-100 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeAuditPrivilege} ServiceSidType : 1 Start : 2 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services\LanmanServer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\Curr entControlSet\Services PSChildName : LanmanServer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.28 Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\simptcp' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...ervices\simptcp:Strin
g) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper
tyCommand

  - Expected scan result: `FAIL`

</details>

### 5.29 Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed :red_circle:
- Severity: `Low`
- [x] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :red_circle: In my local environment the final state was Not applicable, due to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP exists but no the Start value. Not solved in the branch
  - Output:

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' PS C:\Users\vagrant>


  - Expected scan result: `FAIL`

</details>

Rebits commented 1 year ago

01/072022

I have developed a simple pytest test to ensure the fields title, description, remediation and rationale are exactly ad in CIS PDF file. I also index a report with the results of the title field in the branch 13191-Update-Win10-SCA-vr-qa Automated_Check_Win10.zip

PDF parser has not included in the used json file the checks 18.8.5.1, 18.8.5.2, 18.8.5.3, 18.8.5.4, 18.8.5.5, 18.8.5.6. It is necessary to review the used script in order to ensure all checks of the file are gathered

Rebits commented 1 year ago

Wrong CIS IDS :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Using https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172147543 test, it has been detected the the following CIS IDs are not included in the PDF file: 18.9.47.11.11, 18.9.59.3.9.2, 18.9.82.1

The correct cis for checks 15327, 15344, and 15367 are respectively 18.9.47.11.1. Fixed in 3191-Update-Win10-SCA-vr-qa

All the title, cis id errors, and bad rules detected in this analysis have been fixed in 3191-Update-Win10-SCA-vr-qa branch. The remaining errors in the test come from an error parsing compound words with -

Report: TitleReport.zip

Rebits commented 1 year ago

Update 01/07/202 (Outdated check https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867)

It has been detected that some format errors were very common in the policy:

More than one white space in a row
White space before the closing "

This has been fixed in the branch 3191-Update-Win10-SCA-vr-qa branch. For now one, all the reviews will not check this style error, marking Title, description, rationale, remediation as :yellow_circle: if no errors were detected using 3191-Update-Win10-SCA-vr-qa branch version. This will also be the default behavior for the compliance field.

Update 05/07/202

Due to multiple errors not detected during the first review of the first range of checks in the multiple fields, I am going to change using the custom test to change all detected errors in all fields except the rules, leaving a review in comments for rule analysis. The rest of the fields will be marked as :yellow_circle: , indicating that developer should review the PR

Rebits commented 1 year ago

After talking with @fabamatic, We are going to check only the Start value (not ensuring the existence of this registries) for every Ensure 'Service' is set to 'Disabled' check

5.30 Ensure 'Special Administration Console Helper (sacsvr)' is set to'Disabled' or 'Not Installed' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: -

TItle: Check changes in PR

Compliance - :red_circle:: Check commentary
Rules - :green_circle:
- Output:
- Expected scan result: FAIL

5.31 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: -

TItle: Check changes in PR

Compliance - :yellow_circle:: Check commentary
Rules - :green_circle:
- Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV'

DependOnService : {HTTP, NSI} Description : @%systemroot%\system32\ssdpsrv.dll,-101 DisplayName : @%systemroot%\system32\ssdpsrv.dll,-100 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : SSDPSRV PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.32 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost'

DependOnService : {SSDPSRV, HTTP} Description : @%systemroot%\system32\upnphost.dll,-214 DisplayName : @%systemroot%\system32\upnphost.dll,-213 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : upnphost PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.33 Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...\Services\WMSvc:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```
- Expected scan result: `FAIL`

5.34 Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: -

TItle: Check changes in PR

Compliance - :yellow_circle:: Check in PR

Rules - :green_circle:

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc'

Description : @%SystemRoot%\System32\wersvc.dll,-101 DisplayName : @%SystemRoot%\System32\wersvc.dll,-100 ErrorControl : 0 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k WerSvcGroup ObjectName : localSystem RequiredPrivileges : {SeDebugPrivilege, SeTcbPrivilege, SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege} ServiceSidType : 1 Start : 3 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WerSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.35 Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**

This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled.


**Current description**

This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled.


- Compliance - :yellow_circle:: Check [commentary](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc'

DependOnService : {HTTP, Eventlog} Description : @%SystemRoot%\system32\wecsvc.dll,-201 DisplayName : @%SystemRoot%\system32\wecsvc.dll,-200 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : Wecsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.36 Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc'

DependOnService : {http, WSearch} Description : @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-102 DisplayName : @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : "C:\Program Files\Windows Media Player\wmpnetwk.exe" ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WMPNetworkSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.37 Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc'

DependOnService : {RpcSs, wcmsvc} Description : @%SystemRoot%\System32\tetheringservice.dll,-4098 DisplayName : @%SystemRoot%\System32\tetheringservice.dll,-4097 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} Group : TDI ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p ObjectName : NT Authority\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : icssvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.38 Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService'

DependOnService : {rpcss} Description : @%SystemRoot%\system32\wpnservice.dll,-2 DisplayName : @%SystemRoot%\system32\wpnservice.dll,-1 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeTcbPrivilege} ServiceSidType : 1 Start : 2 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WpnService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.39 Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall'

DependOnService : {rpcss} Description : @%SystemRoot%\system32\pushtoinstall.dll,-201 DisplayName : @%SystemRoot%\system32\pushtoinstall.dll,-200 ErrorControl : 0 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeTcbPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : PushToInstall PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.40 Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

DelayedAutoStart : 0 DependOnService : {RPCSS, HTTP} Description : @%Systemroot%\system32\wsmsvc.dll,-102 DisplayName : @%Systemroot%\system32\wsmsvc.dll,-101 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege...} ServiceSidType : 1 Start : 2 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WinRM PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.41 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC'

DependOnService : {WAS, HTTP} Description : @%windir%\system32\inetsrv\iisres.dll,-30004 DisplayName : @%windir%\system32\inetsrv\iisres.dll,-30003 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k iissvcs ObjectName : localSystem RequiredPrivileges : {SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeBackupPrivilege, SeChangeNotifyPrivilege...} ServiceSidType : 0 Start : 2 SvcHostSplitDisable : 1 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : W3SVC PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.42 Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc'

Description : @%systemroot%\system32\xboxgipsvc.dll,-101 DisplayName : @%systemroot%\system32\xboxgipsvc.dll,-100 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XboxGipSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.43 Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager'

DependOnService : {RpcSs} Description : @%systemroot%\system32\XblAuthManager.dll,-101 DisplayName : @%systemroot%\system32\XblAuthManager.dll,-100 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege...} Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XblAuthManager PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.44 Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave'

DependOnService : {UserManager, XblAuthManager} Description : @%systemroot%\system32\XblGameSave.dll,-101 DisplayName : @%systemroot%\system32\XblGameSave.dll,-100 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XblGameSave PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

  - Expected scan result: `FAIL`

</details>

### 5.45 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' :yellow_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: -

**TItle**: Check changes in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Compliance - :yellow_circle:: Check in [PR](https://github.com/wazuh/wazuh/pull/14090)

- Rules - :green_circle: 
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc'

DependOnService : {BFE, mpssvc, IKEEXT, KeyIso} Description : @%systemroot%\system32\XboxNetApiSvc.dll,-101 DisplayName : @%systemroot%\system32\XboxNetApiSvc.dll,-100 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XboxNetApiSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


  - Expected scan result: `FAIL`

</details>

Rebits commented 1 year ago

9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle:
Compliance - :yellow_circle:: Check commentary

Rules - :red_circle: Not applicable instead of FAIL in case of not configured

Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
PS C:\Users\vagrant>

Expected scan result: FAIL

9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle:
Compliance - :yellow_circle:: Check commentary
Rules - :red_circle: Not applicable instead of PASS in case of not configured. SCA limitations makes impossible to deal correctly for this case. The correct behaviour is:
FAIL if EnableFirewall is not 1
PASS If firewall is enable, and DefaultInboundAction is not defined
PASS If firewall is enable, and DefaultInboundAction is defined with 1
FAIL otherwise

The only option is to make default case not applicable and

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'

Fail always if firewall is not enable. It will mark default case as Not applicable

Output: Same as 9.1.1
Expected scan result: FAIL

9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default) :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle:
Compliance - :yellow_circle:: Check commentary
Rules - :red_circle: Same as 9.1.2. There are limitations for ensuring this check.

Suggestion

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'

Output: Same as 9.1.1
Expected scan result: FAIL

9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle:
Compliance - :yellow_circle:: Check commentary
Rules - :red_circle: Not applicable instead of FAIL if this policy is not configured

Suggestion:

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications'
      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'

Output: Same as 9.1.1
Expected scan result: FAIL

9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log

Current description

Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log

Expected remediation

To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name

Current remediation

To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name

Compliance - :yellow_circle:: Check commentary

Rules - :red_circle: Not applicable instead of FAIL in case of not configuration

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

Suggestion

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath'
      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'

Expected scan result: FAIL

9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle:
Compliance - :yellow_circle::

Rules - :red_circle: Default value is not scure, however not applicable is set.

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

  - Expected scan result: `FAIL`

</details>

### 9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle:
- Compliance - :yellow_circle:: 
- Rules - :red_circle: Default value is not scure, however not applicable is set.
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

  - Expected scan result: `FAIL`

</details>

### 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle:
- Compliance - :yellow_circle:: 
- Rules - :red_circle: Default value is not scure, however not applicable is set.
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

  - Expected scan result: `FAIL`

</details>

### 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' :red_circle:
- Severity: `HIgh`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle:
- Compliance - :yellow_circle:: 
- Rules - :red_circle: Default value is not secure, however not applicable is set.
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

  - Expected scan result: `FAIL`

</details>

### 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' :red_circle:
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle:
- Compliance - :yellow_circle:: 
- Rules - :red_circle: Default value is not secure, however not applicable is set.
  - Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\PrivateProfile:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```
- Expected scan result: `FAIL`

9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.2.1
- Expected scan result: FAIL

9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.2.1
- Expected scan result: FAIL

9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output:
- Expected scan result: FAIL

9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :green_circle:
- Output:
- Expected scan result: FAIL

9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' :red_circle:

Severity: HIgh
[ ] Fixed
[ ] Second review
Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because it does not
exist.
At line:1 char:1
+ Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

Expected scan result: FAIL

9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because it does not
exist.
At line:1 char:1
+ Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Mi

Expected scan result: FAIL

9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423) - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423) - Compliance - :red_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568) - Rules - :red_circle: Default value is not secure, however not applicable is set. - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Mi ``` - Expected scan result: `FAIL`

9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue

Rules - :red_circle: Default value is not secure, however not applicable is set.

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'       Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```
- Expected scan result: `FAIL`
</details>

9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.1
- Expected scan result: FAIL

9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.1
- Expected scan result: FAIL

9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.1
- Expected scan result: FAIL

9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.1
- Expected scan result: FAIL

9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.1
- Expected scan result: FAIL

9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue

Rules - :red_circle: Default value is not secure, however not applicable is set.

Output:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

- Expected scan result: `FAIL`
</details>

9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.7
- Expected scan result: FAIL

9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.7
- Expected scan result: FAIL

9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
ID - :yellow_circle: - Check issue
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :red_circle:: Check issue
Rules - :red_circle: Default value is not secure, however not applicable is set.
- Output: Same as 9.3.7
- Expected scan result: FAIL

Rebits commented 1 year ago

17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure' :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on.Events for this subcategory include: - 4774: An account was mapped for logon. -  4775: An account could not be mapped for logon. - 4776: The Domain Controller attempted to validate the credentials for an account. - 4777: The Domain Controller failed to validate the credentials for an account.
The recommended state for this setting is: Success and Failure.

Current description

This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on.

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Credential Validation"
System audit policy
Category/Subcategory                      Setting
Account Logon
Credential Validation                   No Auditing

Expected scan result: FAIL

17.2.1 Ensure 'Audit Application Group Management' is set to 'Success and Failure :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

This policy setting allows you to audit events generated by changes to application groups such as the following: -Application group is created, changed, or deleted. -Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager. The recommended state for this setting is: Success and Failure.

Current description

This policy setting allows you to audit events generated by changes to application groups such as the following: -Application group is created, changed, or deleted. -Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager.

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Application Group Management"
System audit policy
Category/Subcategory                      Setting
Account Management
Application Group Management            No Auditing

Expected scan result: FAIL

17.2.2 Ensure 'Audit Security Group Management' is set to include 'Success' :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: -

Expected description

This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - 4727: A security-enabled global group was created. - 4728: A member was added to a security-enabled global group. - 4729: A member was removed from a security-enabled global group. - 4730: A security-enabled global group was deleted. - 4731: A security-enabled local group was created. - 4732: A member was added to a security-enabled local group. - 4733: A member was removed from a security-enabled local group. - 4734: A security-enabled local group was deleted. - 4735: A security-enabled local group was changed. - 4737: A security-enabled global group was changed. - 4754: A security-enabled universal group was created. - 4755: A security-enabled universal group was changed. - 4756: A member was added to a security-enabled universal group. - 4757: A member was removed from a security-enabled universal group. - 4758: A security-enabled universal group was deleted. - 4764: A group's type was changed. The recommended state for this setting is to include: Success.

Current description

This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Security Group Management"
System audit policy
Category/Subcategory                      Setting
Account Management
Security Group Management               No Auditing
PS C:\Users\vagrant>

Expected scan result: FAIL

17.2.3 Ensure 'Audit User Account Management' is set to 'Success and Failure' :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: -

Expected description

This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure

Current description

This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts.

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:


PS C:\Users\vagrant> auditpol.exe /get /subcategory:"User Account Management"
System audit policy
Category/Subcategory                      Setting
Account Management
User Account Management                 No Auditing
PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.3.1 Ensure 'Audit PNP Activity' is set to include 'Success' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle: -
**Expected description**

This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success.


**Current description**

This policy setting allows you to audit when plug and play detects an external device.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Plug and Play Events" System audit policy Category/Subcategory Setting Detailed Tracking Plug and Play Events No Auditing PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.3.2 Ensure 'Audit Process Creation' is set to include 'Success' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle: -

**Expected description**

This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success.


**Current description**

This subcategory reports the creation of a process and the name of the program or user that created it.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1165783568)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Process Creation" System audit policy Category/Subcategory Setting Detailed Tracking Process Creation No Auditing PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.5.1 Ensure 'Audit Account Lockout' is set to include 'Failure :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation -  :red_circle:

**Expected tittle**

This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. The recommended state for this setting is to include: Failure.


**Current tittle**

This subcategory reports when a user's account is locked out as a result of too many failed logon attempts


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Account Lockout" System audit policy Category/Subcategory Setting Logon/Logoff Account Lockout No Auditing PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.5.2 Ensure 'Audit Group Membership' is set to include 'Success' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation -

**Expected description**

This policy allows you to audit the group membership information in the user’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy.


**Current description**

This policy allows you to audit the group membership information in the user’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Group Membership" System audit policy Category/Subcategory Setting Logon/Logoff Group Membership No Auditing PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.5.3 Ensure 'Audit Logoff' is set to include 'Success' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected description**

This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is to include: Success.


**Current description**

This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Logoff" System audit policy Category/Subcategory Setting Logon/Logoff Logoff No Auditing PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.5.4 Ensure 'Audit Logon' is set to 'Success and Failure' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected description**

This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure.


**Current description**

This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Logon" System audit policy Category/Subcategory Setting Logon/Logoff Logon No Auditing PS C:\Users\vagrant>

  - Expected scan result: `FAIL`
</details>

### 17.5.5 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation :red_circle:

**Expected description**

This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - 4649: A replay attack was detected. - 4778: A session was reconnected to a Window Station. - 4779: A session was disconnected from a Window Station. - 4800: The workstation was locked. - 4801: The workstation was unlocked. - 4802: The screen saver was invoked. - 4803: The screen saver was dismissed. - 5378: The requested credentials delegation was disallowed by policy. - 5632: A request was made to authenticate to a wireless network. - 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure.


**Current description**

This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

Logon No Auditing PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Other Logon/Logoff Events" System audit policy Category/Subcategory Setting Logon/Logoff Other Logon/Logoff Events No Auditing

  - Expected scan result: `FAIL`
</details>

### 17.5.6 Ensure 'Audit Special Logon' is set to include 'Success' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:

**Expected tittle**

This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success.


**Current tittle**

This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Special Logon" System audit policy Category/Subcategory Setting Logon/Logoff Special Logon No Auditing

  - Expected scan result: `FAIL`
</details>

### 17.6.1 Ensure 'Audit Detailed File Share' is set to include 'Failure :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)

**Expected tittle**

This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure


**Current tittle**

This subcategory allows you to audit attempts to access files and folders on a shared folder.

- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Detailed File Share" System audit policy Category/Subcategory Setting Object Access Detailed File Share No Auditing

  - Expected scan result: `FAIL`
</details>

### 17.6.2 Ensure 'Audit File Share' is set to 'Success and Failure' :red_circle:
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle:

**Expected description**

This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.


**Current description**

This policy setting allows you to audit attempts to access a shared folder.


- Compliance - :yellow_circle:: Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)
- Rules - :green_circle:
  - Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"File Share" System audit policy Category/Subcategory Setting Object Access File Share No Auditing

  - Expected scan result: `FAIL`
</details>

### 17.6.3 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' :red_circle:
- Severity: `Low`
- [ ] Fixed
- [ ] Second review
<details>
  <summary>Details</summary>
- ID - :green_circle:
- Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1172364423)

**Expected description**

This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited:

Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure.

Current description

This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Other Object Access Events"
System audit policy
Category/Subcategory                      Setting
Object Access
Other Object Access Events              No Auditing

Expected scan result: FAIL

17.6.4 Ensure 'Audit Removable Storage' is set to 'Success and Failure' :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy.

Current description

This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Removable Storage"
System audit policy
Category/Subcategory                      Setting
Object Access
Removable Storage                       No Auditing

Expected scan result: FAIL

17.7.1 Ensure 'Audit Audit Policy Change' is set to include 'Success' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: - Expected description

This subcategory reports changes in audit policy including SACL changes. Events for this
subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success.

Current description

This subcategory reports changes in audit policy including SACL changes

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Audit Policy Change"
System audit policy
Category/Subcategory                      Setting
Policy Change
Audit Policy Change                     No Auditing
PS C:\Users\vagrant>

Expected scan result: FAIL

17.7.2 Ensure 'Audit Authentication Policy Change' is set to include 'Success' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: -

Expected description

This subcategory reports changes in authentication policy. Events for this subcategory
include - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed.  - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success.

Current description

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Authentication Policy Change"
System audit policy
Category/Subcategory                      Setting
Policy Change
Authentication Policy Change            No Auditing

Expected scan result: FAIL

17.7.3 Ensure 'Audit Authorization Policy Change' is set to include 'Success' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: -

Expected description

This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success.

Current description

This subcategory reports changes in authorization policy

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Authorization Policy Change"
System audit policy
Category/Subcategory                      Setting
Policy Change
Authorization Policy Change             No Auditing

Expected scan result: FAIL

17.7.4 Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: - Expected description

This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC. Events
for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was
added. - 4947: A change has been made to Windows Firewall exception list. A rule was
modified. - 4948: A change has been made to Windows Firewall exception list. A rule was
deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not
recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the
rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have
been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure

Current description

This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
System audit policy
Category/Subcategory                      Setting
Policy Change
MPSSVC Rule-Level Policy Change         No Auditing

Expected scan result: FAIL

17.7.5 Ensure 'Audit Other Policy Change Events' is set to include 'Failure' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle:

Expected description

This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure.

Current description

This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Other Policy Change Events"
System audit policy
Category/Subcategory                      Setting
Policy Change
Other Policy Change Events              No Auditing

Expected scan result: FAIL

17.8.1 Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: -

Expected description

This subcategory reports when a user account or service uses a sensitive privilege sensitive privilege includes the following user rights: - Act as part of the operating system - Back up files and directories - Create a token object - Debug programs - Enable computer and user accounts to be trusted for delegation - Generate security audits - Impersonate a client after authentication - Load and unload device drivers - Manage auditing and security log - Modify firmware environment values - Replace a process-level token - Restore files and directories - Take ownership of files or other objects Auditing this subcategory will create a high volume of events. Events for this subcategory
include: - 4672: Special privileges assigned to new logon. - 4673: A privileged service was called. - 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure.

Current description

This subcategory reports when a user account or service uses a sensitive privilege

Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Sensitive Privilege Use"
System audit policy
Category/Subcategory                      Setting
Privilege Use
Sensitive Privilege Use                 No Auditing

Expected scan result: FAIL

17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"IPsec Driver"
System audit policy
Category/Subcategory                      Setting
System
IPsec Driver                            No Auditing

Expected scan result: FAIL

17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :yellow_circle:: Check issue

Rules - :green_circle:

Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Other System Events"
System audit policy
Category/Subcategory                      Setting
System
Other System Events                     No Auditing

Expected scan result: FAIL

17.9.3 Ensure 'Audit Security State Change' is set to include 'Success' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :yellow_circle:: Check issue
Rules - :green_circle:
- Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Security State Change"
System audit policy
Category/Subcategory                      Setting
System
  Security State Change                   No Auditing

Expected scan result: FAIL

17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :yellow_circle:: Check issue
Rules - :green_circle:
- Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"Security System Extension"
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
PS C:\Users\vagrant>

Expected scan result: FAIL

17.9.5 Ensure 'Audit System Integrity' is set to 'Success and Failure' :yellow_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :yellow_circle: - Check issue
Compliance - :yellow_circle:: Check issue
Rules - :green_circle:
- Output:

PS C:\Users\vagrant> auditpol.exe /get /subcategory:"System Integrity"
System audit policy
Category/Subcategory                      Setting
System
  System Integrity                        No Auditing

Expected scan result: FAIL

Rebits commented 1 year ago

06/07/202

Every discrepancy detected in the Title/Description/Rationale/ Remediation field has been fixed in https://github.com/wazuh/wazuh/pull/14090/commits/1dfc92f8e8f53dba0f6067f862963ea6bcebc6f6, https://github.com/wazuh/wazuh/pull/14090/commits/5d79adcb2ba811ebb1ac31dbdd64839e13fa1d95, https://github.com/wazuh/wazuh/pull/14090/commits/d429d9511c2f1fec4dec7b0b1f34ccae914eaac4 respectively. For this reason, future commentaries will only analyze the check's rules, marking the rest of fields with :yellow_circle: . In previous checks, this methodology was taken only for style errors. However, due to the huge number of discrepancies with the CIS Benchmark file and some errors not detected in the first corrections I have decided to use semi-automatic testing for all these fields, and correct them in https://github.com/wazuh/wazuh/pull/14090/

Rebits commented 1 year ago

18.1.1.1 Ensure 'Audit System Integrity' is set to 'Success and Failure' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - By default Disabled. It should check that registry values exists: ``` - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Personalization:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - By default Disabled. It should check that registry values exists: ``` - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow ' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' ``` - Output: Same as 18.1.1.1 - Expected scan result: `FAIL`

18.1.2.2 Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - By default Enabled. It should check that registry values exists: ``` - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' AllowInputPersonalization : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPer sonalization PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : InputPersonalization PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - By default Enabled. It should check that registry values exists: ``` - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed :yellow_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :green_circle: - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' (default) : AdmPwd DllName : C:\Program Files\LAPS\CSE\AdmPwd.dll NoUserPolicy : 1 ProcessGroupPolicy : ProcessGroupPolicy PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions PSChildName : {D76B9641-3288-4f75-942D-087DE603E3EA} PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.2.2 - 18.2.6 LAPS related checks :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :green_circle: In this case, this policy is dependent to `Ensure LAPS AdmPwd GPO Extension / CSE is installed` check. There are two approachs: - Mark as Not applicable: If `18.2.1` is not fulfill, all dependent checks will be marked as red making results redundant - Mark as FAIL: With this approach every check related with LAPS will be marked as FAIL. For this analyzis I am going to choose the first approach but is required developer validation. Also, all these rules does not consider the Not configured case for wich `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd` does not even exists. Due to the limitations of SCA I suggest to follow this structure: ``` rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' ``` It will be marked as Not applicable is LAPS is not installed. Otherwise, should check for explicitt secure configuration. - Output of `18.2.2`: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...otectionEnabled:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` After installing LAPS and configure it ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' PasswordComplexity : 4 PasswordLength : 14 PasswordAgeDays : 30 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services PSChildName : AdmPwd PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL` Exception - `18.2.4` and `18.2.6` are secure by default. Limitations in SCA do not allow contemplate default case. I suggest ``` - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' ``` All proposed rules in the PR.

18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Corner case - Not defined `LocalAccountTokenFilterPolicy`. Suggetion ``` - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : fdsafsa scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Include case of SMBv1 not present in the system - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu...rvices\mrxsmb10:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `PASS`

18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Multiple default cases depending of the OS Windows 10 R1703 and older: Enabled. Windows 10 R1709 and newer: Disabled. SCA limitations make impossible to perfectly determinate status of the system for default values. I suggest: ``` - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' EnableAuthenticateUserSharing : 0 NullSessionPipes : {a} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {108, 188, 234, 203...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\LanmanServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\LanmanServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Disabled for 32-bit processes - Suggestion ``` - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' DpcWatchdogProfileOffset : 10000 ObUnsecureGlobalNames : {netfxcustomperfcounters.1.0, SharedPerfIPCBlock, Cor_Private_IPCBlock, Cor_Public_IPCBlock_} SeTokenSingletonAttributesConfig : 3 obcaseinsensitive : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\Session Manager\kernel PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\Session Manager PSChildName : kernel PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.3.5 Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Enabled - Suggestion ``` - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s\PointAndPrint:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand PS C:\Users\vagrant> ``` - Expected scan result: `PASS`

18.3.6 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default values B-node (broadcast only) if a WINS server is not configured in NIC properties. H-node (hybrid - point-to-point first, then broadcast) if a WINS server is configured in NIC properties Suggestion ``` - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' BcastNameQueryCount : 3 BcastQueryTimeout : 750 CacheTimeout : 600000 EnableLMHOSTS : 1 NameServerPort : 137 NameSrvQueryCount : 3 NameSrvQueryTimeout : 1500 NbProvider : _tcp SessionKeepAlive : 3600000 Size/Small/Medium/Large : 1 TransportBindName : \Device\ UseNewSmb : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :green_circle: - Default values ``` On Windows 8.0 and older: Enabled. (Lsass.exe retains a copy of the user's plaintext password in memory, where it is at risk of theft.) On Windows 8.1 and newer: Disabled. (Lsass.exe does not retain a copy of the user's plaintext password in memory.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' Debuglevel : 0 Negotiate : 0 UTF8HTTP : 1 UTF8SASL : 1 DigestEncryptionAlgorithms : 3des,rc4 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se curityProviders\WDigest PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se curityProviders PSChildName : WDigest PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Disabled Suggestion: ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 113549229019 ShutdownFlags : 2147483687 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-2383466009-3940392604-4156099882-1001 LastUsedUsername : vagrant AllocateDASD : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` No additional protection, source routed packets are allowed. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' Dhcpv6DUID : {0, 1, 0, 1...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Paramete rs PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6 PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Medium, source routed packets ignored when IP forwarding is enabled. ``` Suggestion ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : windows Hostname : windows TcpWindowSize : 64240 DhcpDomain : home DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.4 Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Disabled. (Saving of dial-up and VPN passwords is allowed.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\Windows\System32\rasmans.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Enabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\Windows\System32\rasmans.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended) :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Defult value ``` 7,200,000 milliseconds or 120 minutes. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\Windows\System32\rasmans.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Enabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' BcastNameQueryCount : 3 BcastQueryTimeout : 750 CacheTimeout : 600000 EnableLMHOSTS : 1 NameServerPort : 137 NameSrvQueryCount : 3 NameSrvQueryTimeout : 1500 NbProvider : _tcp SessionKeepAlive : 3600000 Size/Small/Medium/Large : 1 TransportBindName : \Device\ UseNewSmb : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.9 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Enabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' AutoChkTimeout : 8 BootExecute : {autocheck autochk *} BootShell : C:\Windows\system32\bootim.exe CriticalSectionTimeout : 2592000 ExcludeFromKnownDlls : {} GlobalFlag : 0 GlobalFlag2 : 0 HeapDeCommitFreeBlockThreshold : 0 HeapDeCommitTotalFreeThreshold : 0 HeapSegmentCommit : 0 HeapSegmentReserve : 0 InitConsoleFlags : 0 NumberOfInitialSessions : 2 ObjectDirectories : {\Windows, \RPC Control} ProcessorControl : 2 ProtectionMode : 1 ResourceTimeoutCount : 150 RunLevelExecute : {WinInit, ServiceControlManager} RunLevelValidate : {ServiceControlManager} SETUPEXECUTE : {} AutoChkSkipSystemPartition : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l PSChildName : Session Manager PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value 5 seconds Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare 5' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 113549229019 ShutdownFlags : 2147483687 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-2383466009-3940392604-4156099882-1001 LastUsedUsername : vagrant AllocateDASD : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value 5 Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' Dhcpv6DUID : {0, 1, 0, 1...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Paramete rs PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6 PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value 5 Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : windows Hostname : windows TcpWindowSize : 64240 DhcpDomain : home DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.4.13 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value 0% Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare 90' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' DisplayNameFile : C:\Windows\system32\wevtapi.dll DisplayNameID : 257 File : C:\Windows\System32\winevt\Logs\Security.evtx Isolation : 2 MaxSize : 20971520 PrimaryModule : Security Retention : 0 Security : {1, 0, 20, 128...} RestrictGuestAccess : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog \Security PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog PSChildName : Security PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `PASS`

18.5.4.1 Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Disabled. (The computer will use locally configured settings.) ``` SCA does not allow ensuring check for not configured case - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws NT\DNSClient:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

8.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws NT\DNSClient:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Enabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default values ``` Windows 10 R1703 and older: Enabled. (The SMB client will allow insecure guest logons.) Windows 10 R1709 and newer: Disabled. (The SMB client will reject insecure guest logons.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...nmanWorkstation:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Defaul value disabled SCA do not allow consider not configure case. However every time this option turn into Disabled all registries are transform to zero. Suggestion ``` condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ft\Windows\LLTD:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `PASS`

18.5.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Defaul value disabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ft\Windows\LLTD:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.5.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' Disabled : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : Peernet PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' NC_PersonalFirewallConfig : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Network Connections PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Network Connections PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.5.11.4 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :green_circle: - Default value disavled Suggestion ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' NC_PersonalFirewallConfig : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Network Connections PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Network Connections PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value is disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' ``` - Expected scan result: `FAIL`

18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :green_circle: - Default value is ``` All IPv6 components are enabled and Windows prefers IPv6 over IPv4 ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' Dhcpv6DUID : {0, 1, 0, 1...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Paramete rs PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6 PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Enabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\WCN\Registrars:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.5.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows\WCN\UI:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.5.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value is ``` Enabled: 1 = Minimize simultaneous connections. (Any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. The order of preference (from most preferred to least preferred) is: Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 3' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' ``` - Expected scan result: `FAIL`

18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :red_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' ``` - Expected scan result: `FAIL`

18.5.23.2.1 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Enabled Suggestion ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' PowerDelayLowPowerScan : 1200000 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkma nager\config PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkma nager PSChildName : config PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.6.1 Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is enabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers -> RegisterSpoolerRemoteRpcEndPoint' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers -> RegisterSpoolerRemoteRpcEndPoint -> 2' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers' Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\WindowsNT\Printers' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\Software\...dowsNT\Printers:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

Rebits commented 1 year ago

18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value Enabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\Software\...s\PointAndPrint:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.6.3 Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value enabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> UpdatePromptSettings' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> UpdatePromptSettings -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\Software\...s\PointAndPrint:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.7.1.1 Ensure 'Turn off notifications network usage' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value Disabled Suggestion ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...shNotifications:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' ``` - Expected scan result: `FAIL`

18.8.4.1 Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Without the May 2018 security update: Enabled: Vulnerable (Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.) With the May 2018 security update: Enabled: Mitigated (Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...dSSP\Parameters:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Disabled. (Restricted Admin Mode and Windows Defender Remote Credential Guard are not supported. Users will always need to pass their credentials to the host.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...tialsDelegation:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.5.1 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.5.2 Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.5.3 Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.4. Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.5.5 Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.5.6 Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: Default value ``` Not Configured. (Administrative users can choose whether to enable or disable Secure Launch.) Suggestion ``` ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.7.2" Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata -> PreventDeviceMetadataFromNetwork' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata -> PreventDeviceMetadataFromNetwork -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\DeviceMetadata:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Disabled. (Boot-start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be bad is skipped.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu...ies\EarlyLaunch:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' ``` - Output: ``` icrosoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...A-00C04FBBCFA2}:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disable Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' ``` - Output: ``` icrosoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...A-00C04FBBCFA2}:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.21.4 Ensure 'Continue experiences on this device' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` The default behavior depends on the Windows edition. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.21.5 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' :red_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled (value is not set in case of disable)- Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : fdsafsa scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Syst em PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.8.22.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows NT\Printers:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Tablet PC users can choose whether or not they want to share their writing samples from the handwriting recognition personalization tool with Microsoft ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\TabletPC:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' ``` - Output: ``` icrosoft\Windows\HandwritingErrorReports' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ingErrorReports:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...nnection Wizard:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.8.22.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ows NT\Printers:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\... Wizard Control:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...SearchCompanion:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.10 Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.8.22.1.11 Ensure'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.8.22.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Users have the choice to opt-in and allow information to be collected ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Messenger\Client' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...essenger\Client:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.22.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` The Administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' CEIPEnable : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\SQMClient\Windows PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\SQMClient PSChildName : Windows PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.8.22.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Errors may be reported to Microsoft via the Internet or to a corporate file share.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Error Reporting:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.25.1 Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Automatic. (Devices will attempt to authenticate using their certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.) ``` Due to SCA limitations it is not possible to consider Not configured case - Output: ``` Windows\CurrentVersion\Policies\System\kerberos\parameters' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...eros\parameters:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.26.1 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Windows 10 R1803 and newer: Enabled if UEFI BIOS is present. Disabled if using legacy BIOS. Older OSes: Not supported (i.e. Disabled ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\... DMA Protection:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.27.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...l\International:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.28.1 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled'" :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.28.3 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `PASS`

18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled SUggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `PASS`

18.8.31.1 Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.31.2 Ensure 'Allow upload of User Activities' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Activities of type User Activity are allowed to be uploaded to the cloud ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.8.34.6.1 Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Network connectivity will be maintained in standby while on battery.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSetti ngs\f15576e8-98b7-4186-b944-eafa664402d9' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...44-eafa664402d9:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.34.6.2 Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Enabled Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSetti ngs\f15576e8-98b7-4186-b944-eafa664402d9' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...44-eafa664402d9:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

Rebits commented 1 year ago

18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Enabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSetti ngs\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...d5-f7d2daa51f51:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Enabled Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSetti ngs\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...d5-f7d2daa51f51:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is Disabled Suggestion ``` condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ``` - Expected scan result: `PASS`

18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ``` - Expected scan result: `FAIL`

18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows NT\Rpc:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.37.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled: Authenticated. (Only authenticated RPC clients are allowed to connect to RPC servers running on the machine. Exemptions are granted to interfaces that have requested them.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows NT\Rpc:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.8.48.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is set to Microsoft Corporation.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Provider\Policy:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.48.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...1-88dd50a6299d}:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.50.1 Ensure 'Turn off the advertising ID' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users can control whether apps can use the advertising ID for experiences across apps.) ``` Suggestion ``` - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...AdvertisingInfo:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.8.53.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The local computer clock does not synchronize time with NTP servers.) Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...iders\NtpClient:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQu ``` - Expected scan result: `FAIL`

18.8.53.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The computer cannot service NTP requests from other computers.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...iders\NtpServer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.9.4.1 Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows apps won't be able to share app data with other instances of that app.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...el\StateManager:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.9.4.2 Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (All users will be able to initiate installation of Microsoft Store app packages.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx -> BlockNonAdminUserInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx -> BlockNonAdminUserInstall -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx' ``` - Expected scan result: `FAIL`

18.9.5.1 Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The user can decide whether Windows apps can interact with applications using speech while the system is locked by using Settings > Privacy on the device.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsActivateWithVoiceAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsActivateWithVoiceAboveLock -> 2' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...dows\AppPrivacy:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users will need to sign in with a Microsoft account.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : fdsafsa scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Syst em PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (AutoPlay is enabled for non-volume devices.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows will prompt the user whether autorun command is to be run.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Autoplay is enabled.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

Rebits commented 1 year ago

18.9.10.1.1 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Users are able to choose whether or not to use enhanced anti-spoofing on supported devices. ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\FacialFeatures:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.12.1 Ensure 'Allow Use of Camera' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Camera devices are enabled.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Camera' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\Policies\Microsoft\Camer a:String) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.14.1 Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows experiences are able to use cloud consumer accounts.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\CloudContent:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.14.2 Ensure 'Turn off cloud optimized content' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows experiences will be able to use cloud optimized content.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\CloudContent:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.14.3 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users may see suggestions from Microsoft and notifications about their Microsoft account.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\CloudContent:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (A PIN is not required for pairing to a wireless display device.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> r:^1$|^2$' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Windows\Connect:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.16.1 Ensure 'Do not display the password reveal button' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The password reveal button is displayed after a user types a password in the password entry text box. If the user clicks on the button, the typed password is displayed on-screen in plain text.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredUI' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows\CredUI:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users will be required to always type in a username and password to elevate.) ``` - Output: ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' ``` - Expected scan result: `FAIL`

18.9.16.3 Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Not Configured. (Local user accounts are able to set up and use security questions to reset their passwords.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> NoLocalPasswordResetQuestions' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> NoLocalPasswordResetQuestions -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.9.17.1 Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' ``` - Expected scan result: `FAIL`

18.9.17.2 Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows will periodically attempt to connect with the OneSettings service to download configuration settings.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads -> 1 ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' ``` - Expected scan result: `FAIL`

18.9.17.4 Ensure 'Do not show feedback notifications' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users may see notifications through the Windows Feedback app asking users for feedback. Users can control how often they receive feedback questions.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.9.17.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows will not record attempts to connect with the OneSettings service to the EventLog.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.9.17.6 Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Microsoft may occasionally collect diagnostic logs if the device has been configured to send optional diagnostic data.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.9.17.7 Ensure 'Limit Dump Collection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Microsoft may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> :LimitDumpCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> :LimitDumpCollection -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' PS C:\Users\vagrant> ``` - Expected scan result: `FAIL`

18.9.17.8 Ensure 'Toggle user control over Insider builds' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Users can download and install Windows preview software on their devices.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s\PreviewBuilds:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.18.1 Ensure 'Download Mode' is NOT set to 'Enabled: Internet' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enterprise, Enterprise LTSB and Education SKUs: Enabled: LAN (1) All other SKUs: Enabled: Internet (3) ``` Due to SCA limitations, we can not ensure this check for Not configured case. - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...eryOptimization:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (When a log file reaches its maximum size, new events overwrite old events.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Log\Application:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The default log size is 20,480 KB - this value can be changed by the local administrator using the Log Properties dialog.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Log\Application:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (When a log file reaches its maximum size, new events overwrite old events.) ``` Suggestion ``` - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...entLog\Security:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The default log size is 20,480 KB - this value can be changed by the local administrator using the Log Properties dialog.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...entLog\Security:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (When a log file reaches its maximum size, new events overwrite old events.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\EventLog\Setup:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The default log size is 20,480 KB - this value can be changed by the local administrator using the Log Properties dialog.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\EventLog\Setup:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (When a log file reaches its maximum size, new events overwrite old events ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...EventLog\System:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.27.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The default log size is 20,480 KB - this value can be changed by the local administrator using the Log Properties dialog.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...EventLog\System:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Data Execution Prevention will block certain types of malware from exploiting Explorer.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Heap termination on corruption is enabled.) ``` Suggestion ``` condition: all rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.31.4 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The protocol is in the protected mode, allowing applications to only open a limited set of folders.) ``` Suggestion ``` ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `PASS`

18.9.36.1 Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (A user can add their computer to a HomeGroup. However, data on a domain- joined computer is not shared with the HomeGroup.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ndows\HomeGroup:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.41.1 Ensure 'Turn off location' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Programs on the computer are permitted to use location information from the location feature.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ationAndSensors:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.45.1 Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Cellular text messages can be backed up and restored to Microsoft's cloud services.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ndows\Messaging:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

Rebits commented 1 year ago

18.9.46.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Applications and services on the device will be permitted to authenticate using consumer Microsoft accounts via the Windows OnlineID and WebAccountManager APIs.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Defender\Spynet:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.4.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service will not be joined.) ``` Suggestion ``` rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Defender\Spynet:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.9.47.5.1.1 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (No ASR rules will be configured.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\Software\...ploit Guard\ASR:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.5.1.2 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (No ASR rules will be configured.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\Software\...Guard\ASR\Rules:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.5.3.1 Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users and applications will not be blocked from connecting to dangerous domains.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...work Protection:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.6.1 Ensure 'Enable file hash computation feature' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (File hash values are not computed during scans.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine -> EnableFileHashComputation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine -> EnableFileHashComputation -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...fender\MpEngine:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.9.1" Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (All downloaded files and attachments will be scanned ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableIOAVProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableIOAVProtection -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...-TimeProtection:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.9.2 Ensure 'Turn off real-time protection' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Microsoft Defender Antivirus will prompt users to take actions on malware detections.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableRealtimeMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableRealtimeMonitoring -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...-TimeProtection:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.9.3 Ensure 'Turn on behavior monitoring' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Behavior monitoring will be enabled.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableBehaviorMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableBehaviorMonitoring -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...-TimeProtection:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `PASS`

18.9.47.9.4 Ensure 'Turn on script scanning' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Script scanning will be enabled ``` Suggestion ``` condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableScriptScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableScriptScanning -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...-TimeProtection:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.11.1 Ensure 'Configure Watson events' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Watson events will be sent to Microsoft automatically when a program or service crashes or fails.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ender\Reporting:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.12.1 Ensure 'Scan removable drives' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s Defender\Scan:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.12.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (E-mail scanning by Microsoft Defender Antivirus will be disabled.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s Defender\Scan:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.47.15 Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Applications that are identified by Microsoft as PUA will not be blocked.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' PUAProtection : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policie s\Microsoft\Windows Defender PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policie s\Microsoft PSChildName : Windows Defender PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.47.16 Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...WindowsDefender:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.57.1 Ensure 'Enable news and interests on the taskbar' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (The news and interests feature is available on the device.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds -> EnableFeeds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds -> EnableFeeds -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\WindowsFeeds:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.58.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Apps and features can work with OneDrive file storage using the Next Generation Sync Client.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...indows\OneDrive:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.64.1 Ensure 'Turn off Push To Install service' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users are able to push Apps to this device from the Microsoft Store running on other devices or the web.) ``` Suggetion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...t\PushToInstall:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users will be able to save passwords using Remote Desktop Connection.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users cannot connect remotely to the target computer by using Remote Desktop Services, unless it has been manually enabled from the Remote tab in the System Properties sheet.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.3.1 Ensure 'Allow UI Automation redirection' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Any UI Automation clients on the local computer can interact with remote apps.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices -> EnableUiaRedirection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices -> EnableUiaRedirection -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...erminalServices:Strin g) [Get-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemProper tyCommand ``` - Expected scan result: `FAIL`

18.9.65.3.3.2 Ensure 'Do not allow COM port redirection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Remote Desktop Services allows COM port redirection.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.3.3 Ensure 'Do not allow drive redirection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (An RD Session Host maps client drives automatically upon connection ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.3.4 Ensure 'Do not allow location redirection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users can redirect their location data to the remote computer.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.3.5 Ensure 'Do not allow LPT port redirection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Remote Desktop Services allows LPT port redirection.) ``` Suggetion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.3.6 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Remote Desktop Services allows redirection of supported Plug and Play devices.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Remote Desktop Services allows users to automatically log on if they enter a password in the Remote Desktop Connection client.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.9.3 Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Negotiate. (The most secure method that is supported by the client is enforced. If TLS is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native RDP encryption is used, but the RD Session Host server is not authenticated.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

8.9.65.3.9.4 Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Windows 7 and older: Disabled. Windows 8.0 and newer: Enabled ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.9.5 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled: High Level. (All communications between clients and RD Session Host servers during remote connections using native RDP encryption must be 128-bit strength. Clients that do not support 128-bit encryption will be unable to establish Remote Desktop Server sessions.) ``` Suggestion ``` condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 2' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare != 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

s

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Disconnected Remote Desktop sessions are maintained for an unlimited time on the server.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.65.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Temporary folders are deleted when a user logs off.) ``` Suggetion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' fAllowToGetHelp : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

Rebits commented 1 year ago

18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users can set the Feed Sync Engine to download an enclosure through the Feed property page. Developers can change the download setting through the Feed APIs.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\... Explorer\Feeds:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.67.2 Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled: Enable Cloud Search. (Allow search and Cortana to search cloud sources like OneDrive and SharePoint.) ``` Also, Enable CLoud search has value 1 instead of 0 Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows Search:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.67.3 Enabled. (Cortana will be allowed on the device.) :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Cortana will be allowed on the device.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows Search:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.67.4 Ensure 'Allow Cortana above lock screen' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (The user can interact with Cortana using speech while the system is locked.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows Search:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.67.5 Ensure 'Allow indexing of encrypted files' is set to 'Disabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows Search:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.67.6 Ensure 'Allow search and Cortana to use location' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Search and Cortana can access location information.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows Search:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.72.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (KMS client activation data will automatically be sent to Microsoft when the device activates.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ection Platform:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.75.1 Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Microsoft Store apps are permitted to be launched and updated. Microsoft Store is enabled.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' AutoDownload : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.75.2 Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users can access the retail catalog in the Microsoft Store.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RequirePrivateStoreOnly' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RequirePrivateStoreOnly -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' AutoDownload : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.75.3 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Microsoft Store automatically downloads and installs updates for Microsoft Store apps.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' AutoDownload : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.75.4 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The Microsoft Store application will offer updates to the latest version of Windows.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' AutoDownload : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.75.5 Ensure 'Turn off the Store application' is set to 'Enabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Access to the Microsoft Store application is allowed.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' AutoDownload : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.81.1 Ensure 'Allow widgets' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Widget feature is allowed on the device.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh -> AllowNewsAndInterests' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh -> AllowNewsAndInterests -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Dsh' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\Policies\Microsoft\Dsh:String) [Get-ItemProperty], ItemN otFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.85.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows Defender SmartScreen behavior is managed by administrators on the PC by using Windows Defender SmartScreen Settings in Action Center.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' ``` - Expected scan result: `FAIL`

18.9.85.2.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (SmartScreen Filter is turned on.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\PhishingFilter:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.85.2.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Employees will be able to ignore SmartScreen Filter warnings about potentially malicious websites and continue to the site.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...\PhishingFilter:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.87.1 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Recording and Broadcasting (streaming) is allowed.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Windows\GameDVR:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.89.1 Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (The suggested apps in Windows Ink Workspace will be allowed.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...owsInkWorkspace:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.89.2 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Windows Ink Workspace is permitted above the lock screen.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...owsInkWorkspace:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.90.1 Ensure 'Allow user control over installs' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The security features of Windows Installer will prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ndows\Installer:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.90.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value ``` Disabled. (Windows Installer will apply the current user's permissions when it installs programs that a system administrator does not distribute or offer. This will prevent standard users from installing applications that affect system-wide configuration items.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ndows\Installer:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.90.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (When a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ndows\Installer:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (The device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : fdsafsa scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 NoConnectedUser : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.100.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (PowerShell will log script blocks the first time they are used ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...iptBlockLogging:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.100.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Transcription of PowerShell-based applications is disabled by default, although transcription can still be enabled through the Start-Transcript cmdlet ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...l\Transcription:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

Rebits commented 1 year ago

18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM service will not accept Basic authentication from a remote client ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\WinRM\Client:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM client sends or receives only encrypted messages over the network ``` Suggestion ``` condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\WinRM\Client:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM client will use Digest authentication.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...ws\WinRM\Client:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

ID Ensure 'Allow Basic authentication' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM service will not accept Basic authentication from a remote client.) ``` - Output: ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' ``` - Expected scan result: `FAIL`

18.9.102.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.) ``` Suggetion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s\WinRM\Service:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM service sends or receives only encrypted messages over the network.) ``` Suggestion ``` condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s\WinRM\Service:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (The WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...s\WinRM\Service:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.103.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (New Remote Shell connections are allowed ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...M\Service\WinRS:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.104.1 Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Copy and paste between the host and Windows Sandbox are permitted.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowClipboardRedirection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowClipboardRedirection -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Windows\Sandbox:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.104.2 Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled. (Networking in the Windows Sandbox is enabled ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowNetworking' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowNetworking -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...Windows\Sandbox:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.105.2.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Local users are allowed to make changes in the Exploit protection settings area.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' because it does not exist. At line:1 char:1 + Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...wser protection:String) [Get-ItemProperty], ItemNotFo undException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand ``` - Expected scan result: `FAIL`

18.9.108.1.1 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation of security updates ``` Suggesiton ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 1 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.108.2.1 Ensure 'Configure Automatic Updates' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled: 3 - Auto download and notify for install. (Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to Windows Update, users can install them.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate ' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 1 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' :yellow_circle:

Severity: Low
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Not Defined. (Since the default value of Configure Automatic Updates is 3 - Auto download and notify for install, this setting is not applicable by default.) ``` This option is only applicable when is configured `Auto download and schedule the install ` (AUOptions to `4`). Otherwise not applicable or PASS - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 1 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.108.2.3 Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Users have access to the "Pause updates" feature.) ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> SetDisablePauseUXAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> SetDisablePauseUXAccess -> 1' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 1 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.108.4.1 Ensure 'Manage preview builds' is set to 'Disabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Windows Update will not offer you any pre-release updates and you will receive such content once released to the world. Disabling this policy will cause any devices currently on a pre-release build to opt out and stay on the latest Feature Update once released.) ``` Suggestion ``` condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DisableOSUpgrade : 0 ElevateNonAdmins : 1 TargetGroupEnabled : 0 TargetGroup : WUServer : WUStatusServer : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : WindowsUpdate PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.108.4.2 Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Disabled. (Feature Update cadence will not be enforced by Group Policy ``` Suggestion ``` condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180' ``` - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DisableOSUpgrade : 0 ElevateNonAdmins : 1 TargetGroupEnabled : 0 TargetGroup : WUServer : WUStatusServer : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : WindowsUpdate PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `FAIL`

18.9.108.4.3 Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details

- ID - :green_circle: - Title, description, rationale, remediation - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Compliance - :yellow_circle: - Check [issue](https://github.com/wazuh/wazuh-qa/issues/3021#issuecomment-1176066867) - Rules - :red_circle: - Default value is ``` Enabled: 0 days. (Install new Quality Updates as soon as they are available.) ``` SCA limitations make impossible to check this value for Not configure case - Output: ``` PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' DisableOSUpgrade : 0 ElevateNonAdmins : 1 TargetGroupEnabled : 0 TargetGroup : WUServer : WUStatusServer : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : WindowsUpdate PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry ``` - Expected scan result: `PASS`

damarisg commented 1 month ago

We decided to close them as it was not planned.

wazuh / wazuh-qa