threatmodel Windows EN - edamametechnologies/threatmodels GitHub Wiki
Windows Threat Model (EN)
Contents
- EDAMAME helper inactive
- Cached logon credentials enabled
- No antivirus enabled
- No password manager installed
- Disk encryption disabled
- User Account Control disabled
- Automatic logon enabled
- Potentially compromised email address
- Unverified or unsafe network environment
- Windows Script Host enabled
- Remote Desktop Protocol (RDP) enabled
- Windows Update disabled
- Guest account enabled
- Built-in Administrator account enabled
- Windows Firewall disabled
- Remote Registry Service enabled
- LM and NTLMv1 protocols enabled
- Lsass.exe process protection not enabled
- PowerShell execution policy not securely configured
- Chrome browser not up to date
- SMBv1 Protocol Enabled
- No sign-in options enabled
- Windows Hello is not available
- Screensaver lock is not properly configured
- Business rule not respected
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | helper_check |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | https://github.com/edamametechnologies/edamame_helper/releases/download |
Rollback
https://github.com/edamametechnologies/edamame_helper
Cached logon credentials enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Interactive logon: Number of previous logons to cache
Cached logon credentials are a security risk as they can be used by attackers to gain access to your system. They are stored on your system and can be retrieved by attackers who gain access to your computer or network. We recommend disabling cached logon credentials to increase the security of your system.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if(((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -Name 'DisablePasswordCaching' -ErrorAction SilentlyContinue).DisablePasswordCaching) -ne 1) { 'Password caching is not disabled' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 1 /f |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 0 /f |
No antivirus enabled
Threat
Dimension : applications / Severity : 5
Tags : CIS Benchmark Level 1,Configure Microsoft Defender Antivirus, ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection
You don't have any antivirus installed (Windows Defender, Sentinel One...). We recommend you to enable one.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | Function Get-AVStatus { [cmdletbinding()] Param() Process { $AV = Get-CimInstance -Namespace 'root/SecurityCenter2' -ClassName 'AntivirusProduct'; $enabledAVs = $AV | Where-Object { $productState = '0x{0:x}' -f $_.ProductState; $enabled = $productState.Substring(3, 2) -match '10|11'; return $enabled }; if (-not $enabledAVs) { Write-Output 'epp_disabled' } } }; Get-AVStatus |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | ms-settings:windowsdefender |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | ms-settings:windowsdefender |
No password manager installed
Threat
Dimension : credentials / Severity : 4
You don't have any password manager installed. It's recommended to install one.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | admin | $installed = @(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '1Password|LastPass|KeePass|Bitwarden|Dashlane' }).Count; if ($installed -eq 0) { Write-Output 'No password manager installed' } |
Remediation
https://en.wikipedia.org/wiki/Password_manager
Rollback
Disk encryption disabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Configure BitLocker Drive Encryption, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection
Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | admin | if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notmatch 'Virtual') { if ((Get-BitLockerVolume).ProtectionStatus -eq 'Off') { Write-Output 'File system not encrypted' } } |
Remediation
https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-7d95-5074-dc66c78d6d5b
Rollback
https://support.microsoft.com/en-us/windows/turn-off-bitlocker-drive-encryption-0026063e-abe0-0e75-12dc-f6239c715f5d
User Account Control disabled
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,User Account Control: Admin Approval Mode
User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes to your computer. If UAC is disabled, it's easier for malware to make changes to your system without your knowledge. You should enable UAC to protect your system from such attacks.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -ErrorAction SilentlyContinue).EnableLUA -eq 0) { 'UAC disabled' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1 -Type DWord |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 0 -Type DWord |
Automatic logon enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Disable Automatic Logon
Automatic logon allows the system to automatically log on a user after booting up. This can be a security risk if the system is not physically secured as anyone can access the system without providing any credentials. It is recommended to disable automatic logon.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -ErrorAction SilentlyContinue).AutoAdminLogon -eq '1') { 'Automatic logon enabled' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value 0 |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value 1 |
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : Personal Posture
Check if your email address might have recently appeared in a data breach.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | pwned -i 365 |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | digitalidentity_manager |
Rollback
https://haveibeenpwned.com/
Unverified or unsafe network environment
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | lanscan |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | network_manager |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | network_manager |
Windows Script Host enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Windows Script Host
Windows Script Host is a built-in Windows scripting environment that allows running of VBScript, JScript, and other scripting languages. Disabling it can help mitigate some types of malware attacks.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings' -Name Enabled -ErrorAction SilentlyContinue).Enabled -eq 1) { 'Windows Script Host enabled' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\'Windows Script Host'\Settings /v Enabled /t REG_DWORD /d 0 /f |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Microsoft\'Windows Script Host'\Settings /v Enabled /t REG_DWORD /d 1 /f |
Remote Desktop Protocol (RDP) enabled
Threat
Dimension : network / Severity : 4
Tags : CIS Benchmark Level 1,Ensure Remote Desktop Protocol is Configured
RDP allows users to remotely access and control a Windows computer from another location. While this can be convenient, it also presents a significant security risk if left enabled and unprotected. An attacker could potentially gain access to your computer and compromise your sensitive data or even take control of your system.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -ErrorAction SilentlyContinue).fDenyTSConnections -eq 0) { 'Terminal Services connections allowed' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 1 |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0 |
Windows Update disabled
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Configure Automatic Updates
Disabling Windows Update prevents critical security patches and updates from being installed on your system, leaving your system vulnerable to known exploits and threats. It is highly recommended that you enable Windows Update to ensure your system is up to date with the latest security patches.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'; $noAutoUpdate = (Get-ItemProperty -Path $registryPath -Name NoAutoUpdate -ErrorAction SilentlyContinue).NoAutoUpdate; $useWUServer = (Get-ItemProperty -Path $registryPath -Name UseWUServer -ErrorAction SilentlyContinue).UseWUServer; Write-Output ($(if ($noAutoUpdate -eq 0 -or $useWUServer -eq 1) { '' } else { $messages = @(); if ($noAutoUpdate -ne 0) {$messages += 'NoAutoUpdate is set.'}; if ($useWUServer -ne 1) {$messages += 'Updates are not managed through GPO.'}; $messages -join ' ' })) |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 0 /f |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f |
Guest account enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Ensure Guest account status is disabled
The Guest account is a default account in Windows, which allows users to access the system with limited privileges. It's recommended to disable this account to prevent unauthorized access to your system and data.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if ($guestAccount.Enabled) {'Guest account is active'} else {''} |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if ($guestAccount.Enabled) {Disable-LocalUser -Name $guestAccount.Name} |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if (-not $guestAccount.Enabled) {Enable-LocalUser -Name $guestAccount.Name} |
Built-in Administrator account enabled
Threat
Dimension : credentials / Severity : 5
Tags : CIS Benchmark Level 1,Built-in Administrator account status
The Built-in Administrator account is a powerful account that has full access to the system. Having this account enabled is a security risk as it is a common target for attackers. It should be disabled unless it is absolutely necessary to enable it.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if ($adminAccount.Enabled) {'Built-in Administrator account enabled'} else {''} |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if ($adminAccount.Enabled) {Disable-LocalUser -Name $adminAccount.Name} |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if (-not $adminAccount.Enabled) {Enable-LocalUser -Name $adminAccount.Name} |
Windows Firewall disabled
Threat
Dimension : network / Severity : 5
Tags : CIS Benchmark Level 1,Ensure Windows Firewall is Enabled
Windows Firewall is a built-in feature of Windows that helps to protect your computer from unauthorized access. When it's disabled, your computer is vulnerable to attacks from the network. We recommend that you enable it.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-NetFirewallProfile -All | Where-Object { $_.Enabled -eq 'False' })) { 'One or more firewall profiles are disabled' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False |
Remote Registry Service enabled
Threat
Dimension : system services / Severity : 3
Tags : CIS Benchmark Level 1,Ensure Remote Registry Service is disabled
The Remote Registry Service allows remote access to the Windows Registry. This can be a security risk if not properly secured.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-Service -Name RemoteRegistry).Status -eq 'Running') { 'RemoteRegistry service is running' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | (sc.exe config RemoteRegistry start= disabled) -and (sc.exe stop RemoteRegistry) |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | (sc.exe config RemoteRegistry start= auto) -and (sc.exe start RemoteRegistry) |
LM and NTLMv1 protocols enabled
Threat
Dimension : credentials / Severity : 5
Tags : CIS Benchmark Level 1,Network security: LAN Manager authentication level
The LM and NTLMv1 protocols are outdated and insecure authentication protocols. They should be disabled to prevent potential security threats. Leaving these protocols enabled can allow attackers to potentially crack passwords and gain unauthorized access to sensitive information.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 0 | Command line | user | if(((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -ErrorAction SilentlyContinue).LMCompatibilityLevel -lt 5) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -ErrorAction SilentlyContinue).NtlmMinClientSec -lt 537395200) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -ErrorAction SilentlyContinue).NtlmMinServerSec -lt 537395200)) { 'Weak NTLM settings' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 0 | Command line | system | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LMCompatibilityLevel' -Value '5' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinClientSec' -Value '537395200' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinServerSec' -Value '537395200' -Type DWord |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 0 | Command line | system | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LmCompatibilityLevel' -Value '1' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinClientSec' -Value '262144' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinServerSec' -Value '537395200' -Type DWord |
Lsass.exe process protection not enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure LSASS is configured to run as a Protected Process
Lsass.exe is a critical system process that handles user authentication. It contains sensitive information such as passwords and security tokens. If this process is compromised, it could lead to a security breach. Enabling Lsass.exe process protection helps prevent attacks against this process. This content will show you how to enable Lsass.exe process protection.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL -eq 0) { 'RunAsPPL is a REG_DWORD with value 0' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f |
PowerShell execution policy not securely configured
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure PowerShell Execution Policy is set to RemoteSigned
PowerShell is a powerful command-line tool that is built into Windows, and is often used by attackers to carry out malicious activities. The execution policy determines which scripts are allowed to run on a Windows system. If the execution policy is set to Unrestricted, it could allow an attacker to run malicious scripts on your system.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $currentUserPolicy= Get-ExecutionPolicy -Scope CurrentUser; if($currentUserPolicy -eq 'Unrestricted') { 'Execution Policy is unrestricted' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | restart | Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser -Force |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | restart | Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force |
Chrome browser not up to date
Threat
Dimension : applications / Severity : 3
Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $path = 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome'; if (Test-Path $path) { $local_version = (Get-ItemProperty -Path $path).DisplayVersion; $web_content = Invoke-WebRequest -UseBasicParsing 'https://chromiumdash.appspot.com/fetch_releases?channel=Stable&platform=Windows&num=1'; $latest_version = ($web_content.Content | ConvertFrom-Json)[0].version; if ([version]$latest_version -le [version]$local_version) { Write-Output '' } else { Write-Output 'Chrome is not up to date (Installed: $local_version, Latest: $latest_version)'; } } else { Write-Output '' } |
Remediation
https://support.google.com/chrome/answer/95414?hl=en
Rollback
https://support.google.com/chrome/a/answer/6350036?hl=en
SMBv1 Protocol Enabled
Threat
Dimension : network / Severity : 5
Tags : CIS Benchmark Level 1,Ensure SMBv1 protocol is disabled
The SMBv1 protocol is enabled on your system. This protocol is outdated and has known vulnerabilities that can allow attackers to take over your system. It should be disabled to improve your system's security.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if((Get-SmbServerConfiguration).EnableSMB1Protocol -eq $true) { 'SMBv1 enabled' } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | restart | Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | restart | Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart |
No sign-in options enabled
Threat
Dimension : credentials / Severity : 5
Your system currently does not have any sign-in options enabled. It is important to enable sign-in options like passwords, PIN, or Windows Hello to ensure your device is securely protected.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $lastLoggedOnProvider = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI' -Name 'LastLoggedOnProvider' -ErrorAction SilentlyContinue).LastLoggedOnProvider; if ($null -eq $lastLoggedOnProvider) { 'Registry entry not present' } elseif ($lastLoggedOnProvider -like '*NgcPin*') { $pinLength = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity' -Name 'MinimumPINLength' -ErrorAction SilentlyContinue).MinimumPINLength; if ($pinLength -lt 6) { 'Windows Hello PIN does not meet the minimum length requirement.' } else { '' } } else { '' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | ms-settings:signinoptions |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | ms-settings:signinoptions |
Windows Hello is not available
Threat
Dimension : credentials / Severity : 5
Windows Hello, a crucial security feature, is not available on your system. Enabling it provides advanced security mechanisms such as PIN and biometric authentication.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | if (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Ngc\Status') { '' } else { 'Windows Hello is not available.' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | ms-settings:signinoptions |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | ms-settings:signinoptions |
Screensaver lock is not properly configured
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Machine inactivity limit, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Logical Access
The screensaver lock settings are not properly configured. Ensuring a secure and active screensaver with a reasonable timeout enhances the physical security of your system.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | $screensaverTimeout = (Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveTimeOut' -ErrorAction SilentlyContinue).ScreenSaveTimeOut; $screensaverActive = (Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveActive' -ErrorAction SilentlyContinue).ScreenSaveActive; $secureScreensaver = (Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaverIsSecure' -ErrorAction SilentlyContinue).ScreenSaverIsSecure; if ($screensaverActive -eq '1' -and $secureScreensaver -eq '1' -and $screensaverTimeout -le 600) { '' } else { 'Screensaver lock is not properly configured.' } |
Remediation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | system | Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveTimeOut' -Value 600; Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaveActive' -Value 1; Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'ScreenSaverIsSecure' -Value 1 |
Rollback
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | ms-settings:lockscreen |
Business rule not respected
Threat
Dimension : applications / Severity : 1
One or more business rules are not respected. Please check the command output for more details.
Implementation
| Tested for | Action | Elevation | Script |
|---|---|---|---|
| Windows 10 | Command line | user | business_rules |
Remediation
Refer to the business rules documentation for more details.
Rollback
Refer to the business rules documentation for more details.