threatmodel Windows EN - edamametechnologies/threatmodels GitHub Wiki
Windows Threat Model (EN)
Contents
- EDAMAME helper inactive
- Cached logon credentials enabled
- No antivirus enabled
- No password manager installed
- Disk encryption disabled
- User Account Control disabled
- Automatic logon enabled
- Potentially compromised email address
- Unverified or unsafe network environment
- Unverified or anomalous traffic
- Windows Script Host enabled
- Remote Desktop Protocol (RDP) enabled
- Windows Update disabled
- Guest account enabled
- Built-in Administrator account enabled
- Windows Firewall disabled
- Remote Registry Service enabled
- LM and NTLMv1 protocols enabled
- Lsass.exe process protection not enabled
- PowerShell execution policy not securely configured
- Chrome browser not up to date
- SMBv1 Protocol Enabled
- No sign-in options enabled
- Windows Hello is not available
- Screensaver lock is not properly configured
- Business rule not respected
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
helper_check
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
https://github.com/edamametechnologies/edamame_helper/releases/download
Rollback
https://github.com/edamametechnologies/edamame_helper
Cached logon credentials enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Interactive logon: Number of previous logons to cache
Cached logon credentials are a security risk as they can be used by attackers to gain access to your system. They are stored on your system and can be retrieved by attackers who gain access to your computer or network. We recommend disabling cached logon credentials to increase the security of your system.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if(((Get-ItemProperty -Path ''HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI'' -Name ''DisablePasswordCaching'' -ErrorAction SilentlyContinue).DisablePasswordCaching) -ne 1) { ''Password caching is not disabled'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 1 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 0 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
No antivirus enabled
Threat
Dimension : applications / Severity : 5
Tags : CIS Benchmark Level 1,Configure Microsoft Defender Antivirus, ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection
You don't have any antivirus installed (Windows Defender, Sentinel One...). We recommend you to enable one.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('Function Get-AVStatus {', ' [CmdletBinding()]', ' Param()', ' Process {', ' # 1) Primary: Windows Security Center (workstations; some Server SKUs won’t populate this)', ' $enabledAVs = @()', ' try {', ' $av = Get-CimInstance -Namespace ''root/SecurityCenter2'' -ClassName ''AntivirusProduct'' -ErrorAction Stop', ' foreach ($p in $av) {', ' $productStateHex = (''0x{0:x}'' -f $p.ProductState)', ' # Your logic: "enabled" when the 3rd byte is 0x10 or 0x11', ' if ($productStateHex.Length -ge 5) {', ' $enabled = $productStateHex.Substring(3,2) -match ''10|11''', ' if ($enabled) { $enabledAVs += $p }', ' }', ' }', ' } catch {', ' # SecurityCenter2 may not exist (e.g., some Server editions) – rely on fallbacks below', ' }', '', ' if ($enabledAVs) { return } # at least one AV registered as enabled', '', ' # 2) Defender explicit health (if present)', ' $defenderOn = $false', ' try {', ' $mp = Get-MpComputerStatus -ErrorAction Stop', ' if ($mp.RealTimeProtectionEnabled -and $mp.AntiSpywareEnabled -and $mp.AntivirusEnabled) { $defenderOn = $true }', ' } catch { }', ' if ($defenderOn) { return }', '', ' # 3) EDR/EPP fallbacks: services/processes/known install dirs', ' $svcNames = @(', ' # Microsoft Defender AV/XDR', ' ''WinDefend'' # MsMpEng.exe service backend', ' # SentinelOne', ' ''SentinelAgent''', ' # CrowdStrike', ' ''CSFalconService''', ' # Sophos', ' ''SEDService'',''SSPService''', ' # Symantec Endpoint Protection', ' ''SepMasterService'',''sepWscSvc''', ' # Trend Micro Apex One', ' ''TMBMSRV'',''TmPfw'',''ntrtscan''', ' # Palo Alto Cortex XDR / Traps (old/new)', ' ''cyserver'',''CyveraService''', ' # Cylance / BlackBerry Protect', ' ''CylanceSvc''', ' # ESET', ' ''ekrn''', ' # Trellix / McAfee Endpoint Security platform bits', ' ''mfemms'',''mfevtps'',''mfefire''', ' # Malwarebytes', ' ''MBAMService''', ' # Bitdefender (service object name sometimes bdservicehost)', ' ''bdservicehost''', ' )', '', ' foreach ($svc in $svcNames) {', ' $s = Get-Service -Name $svc -ErrorAction SilentlyContinue', ' if ($s -and $s.Status -eq ''Running'') { return }', ' }', '', ' # Also consider key processes when service name varies by version', ' $procNames = @(''MsMpEng'',''SentinelAgent'',''CSFalconService'',''ekrn'',''MBAMService'',''bdservicehost'',''ntrtscan'')', ' foreach ($pn in $procNames) {', ' if (Get-Process -Name $pn -ErrorAction SilentlyContinue) { return }', ' }', '', ' # Known install directories that strongly indicate an EDR/EPP', ' $edrDirs = @(', ' ''C:\Program Files\Confer'', # VMware Carbon Black Cloud/Defense (RepCLI path)', ' ''C:\Program Files\SentinelOne'', # SentinelOne Agent', ' ''C:\Program Files\Palo Alto Networks\Traps'', # Cortex XDR / Traps', ' ''C:\Windows\System32\drivers\CrowdStrike'', # CrowdStrike driver directory', ' ''C:\Program Files\CrowdStrike'' # some CS installers', ' )', ' foreach ($d in $edrDirs) {', ' if (Test-Path -LiteralPath $d) { return }', ' }', '', ' # If nothing matched, treat as missing EPP', ' Write-Output ''epp_disabled''', ' }', '}', 'Get-AVStatus'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
ms-settings:windowsdefender
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
ms-settings:windowsdefender
No password manager installed
Threat
Dimension : credentials / Severity : 4
You don't have any password manager installed. It's recommended to install one.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | admin |
Script
$__EDAMAME_LINES = @('# ------------ Settings ------------', '# App name patterns (installed programs and Store apps)', '$pmNameRegex = ''(1Password|Bitwarden|LastPass|Dashlane|Keeper|Enpass|KeePass|KeePassXC|NordPass|RoboForm|Zoho Vault|Proton Pass|Sticky Password|Kaspersky Password Manager)''', '', '# Known Chromium extension IDs (Chrome/Edge/Brave/Vivaldi/Opera based)', '# Chrome Web Store IDs:', '$chromeIds = @(', ' ''aeblfdkhhhdcdjpifhhbdiojplfjncoa'', # 1Password – Password Manager', ' ''khgocmkkpikpnmmkgmdnfckapcdkgfaf'', # 1Password Beta', ' ''nngceckbapebfimnlniiiahkandclblb'', # Bitwarden (Chrome)', ' ''hdokiejnpimakedhajhdlcegeplioahd'', # LastPass (Chrome)', ' ''fdjamakpfbbddfjaooikfcpapjohcfmg'', # Dashlane (Chrome)', ' ''bfogiafebfohielmmehodmfbbebbbpei'', # Keeper (Chrome)', ' ''igkpcodhieompeloncfnbekccinhapdb'', # Zoho Vault (Chrome)', ' ''eiaeiblijfjekdanodkjadfinkhbfgcd'', # NordPass (Chrome)', ' ''pnlccmojcmeohlpggmfnbbiapkmbliob'', # RoboForm (Chrome)', ' ''oboonakemofpalcgghocfoadofidjkkk'', # KeePassXC-Browser (Chrome)', ' ''kmcfomidfpdkfieipokbalgegidffkal'', # Enpass (Chrome)', ' ''ghmbeldphafepmbegfdlkpapadhbakde'' # Proton Pass (Chrome)', ')', '# Microsoft Edge Add-ons IDs (where they differ from Chrome):', '$edgeIds = @(', ' ''dppgmdbiimibapkepcbdbmkaabgiofem'', # 1Password (Edge store)', ' ''jbkfoedolllekgbhcbcoahefnbanhhlh'', # Bitwarden (Edge store)', ' ''pdffhmdngciaglkoonimfcmckehcpafo'' # KeePassXC-Browser (Edge store)', ')', '', '# Browser profile base directories', '$chromiumBases = @(', ' "$env:LOCALAPPDATA\Google\Chrome\User Data",', ' "$env:LOCALAPPDATA\Microsoft\Edge\User Data",', ' "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data",', ' "$env:LOCALAPPDATA\Vivaldi\User Data",', ' "$env:APPDATA\Opera Software\Opera Stable" # Opera keeps profiles under %AppData%', ')', '', '# Name pattern fallback for extension manifests (catches Edge-store IDs we didn’t hardcode)', '$namePatterns = @(''1Password'',''Bitwarden'',''LastPass'',''Dashlane'',''Keeper'',''Enpass'',''NordPass'',''RoboForm'',''Zoho Vault'',''KeePassXC'',''Proton Pass'')', '', '# ------------ Impl ------------', '$found = $false', '', '# 1) Native installs (machine + per-user), 32/64-bit', '$uninstallHives = @(', ' ''HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'',', ' ''HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'',', ' ''HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*''', ')', 'foreach ($h in $uninstallHives) {', ' $items = Get-ItemProperty $h -ErrorAction SilentlyContinue |', ' Where-Object { $_.DisplayName -match $pmNameRegex }', ' if ($items) { $found = $true; break }', '}', '', '# 2) Microsoft Store apps (best-effort; may require user context)', 'if (-not $found) {', ' $keywords = @(''1password'',''bitwarden'',''lastpass'',''dashlane'',''keeper'',''enpass'',''nordpass'',''roboform'',''zoho'',''proton pass'',''keepass'',''keepassxc'')', ' foreach ($k in $keywords) {', ' if (Get-AppxPackage -AllUsers "*$k*" -ErrorAction SilentlyContinue) { $found = $true; break }', ' }', '}', '', '# Helper: scan Chromium profiles for known IDs, else scan manifest.json names', 'function Test-ChromiumPM {', ' param([string[]]$Bases, [string[]]$Ids, [string[]]$Names)', ' foreach ($base in $Bases) {', ' if (-not (Test-Path $base)) { continue }', ' foreach ($profile in Get-ChildItem -Path $base -Directory -ErrorAction SilentlyContinue) {', ' $extRoot = Join-Path $profile.FullName ''Extensions''', ' if (-not (Test-Path $extRoot)) { continue }', '', ' # a) direct ID match', ' foreach ($id in $Ids) {', ' if (Test-Path (Join-Path $extRoot $id)) { return $true }', ' }', '', ' # b) manifest "name" fallback (covers Edge add-ons with different IDs)', ' $manifests = Get-ChildItem -Path $extRoot -Recurse -Filter manifest.json -ErrorAction SilentlyContinue -Depth 2', ' foreach ($m in $manifests) {', ' try {', ' $json = Get-Content -Raw -Path $m.FullName | ConvertFrom-Json', ' foreach ($n in $Names) { if ($json.name -match $n) { return $true } }', ' } catch { }', ' }', ' }', ' }', ' return $false', '}', '', '# 3) Chromium-family extensions (Chrome, Edge, Brave, Vivaldi, Opera)', 'if (-not $found) {', ' $allIds = $chromeIds + $edgeIds', ' if (Test-ChromiumPM -Bases $chromiumBases -Ids $allIds -Names $namePatterns) { $found = $true }', '}', '', '# 4) Firefox extensions (parse extensions.json in each profile)', 'if (-not $found) {', ' $ffRoot = Join-Path $env:APPDATA ''Mozilla\Firefox\Profiles''', ' if (Test-Path $ffRoot) {', ' foreach ($p in Get-ChildItem -Path $ffRoot -Directory -ErrorAction SilentlyContinue) {', ' $ej = Join-Path $p.FullName ''extensions.json''', ' if (Test-Path $ej) {', ' try {', ' $data = Get-Content -Raw $ej | ConvertFrom-Json', ' $addons = @()', ' if ($data.addons) { $addons = $data.addons }', ' if ($addons | Where-Object {', ' ($_.defaultLocale.name -match $pmNameRegex) -or', ' ($_.name -match $pmNameRegex) }) { $found = $true; break }', ' } catch { }', ' }', ' }', ' }', '}', '', 'if (-not $found) { Write-Output ''No password manager installed'' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
https://en.wikipedia.org/wiki/Password_manager
Rollback
Disk encryption disabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Configure BitLocker Drive Encryption, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection
Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | admin |
Script
$__EDAMAME_LINES = @('if ((Get-WmiObject -Class Win32_ComputerSystem).Model -notmatch ''Virtual'') { if ((Get-BitLockerVolume).ProtectionStatus -eq ''Off'') { Write-Output ''File system not encrypted'' } }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-7d95-5074-dc66c78d6d5b
Rollback
https://support.microsoft.com/en-us/windows/turn-off-bitlocker-drive-encryption-0026063e-abe0-0e75-12dc-f6239c715f5d
User Account Control disabled
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,User Account Control: Admin Approval Mode
User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes to your computer. If UAC is disabled, it's easier for malware to make changes to your system without your knowledge. You should enable UAC to protect your system from such attacks.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-ItemProperty -Path ''HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System'' -ErrorAction SilentlyContinue).EnableLUA -eq 0) { ''UAC disabled'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System'' -Name EnableLUA -Value 1 -Type DWord'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System'' -Name EnableLUA -Value 0 -Type DWord'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Automatic logon enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Disable Automatic Logon
Automatic logon allows the system to automatically log on a user after booting up. This can be a security risk if the system is not physically secured as anyone can access the system without providing any credentials. It is recommended to disable automatic logon.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-ItemProperty -Path ''HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'' -ErrorAction SilentlyContinue).AutoAdminLogon -eq ''1'') { ''Automatic logon enabled'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'' -Name AutoAdminLogon -Value 0'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'' -Name AutoAdminLogon -Value 1'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : Personal Posture
Check if your email address might have recently appeared in a data breach.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
pwned -i 365
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
digitalidentity_manager
Rollback
https://haveibeenpwned.com/
Unverified or unsafe network environment
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
lanscan
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
network_manager
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
network_manager
Unverified or anomalous traffic
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The egress network traffic is not verified or contains anomalous traffic.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
egresscan
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
session_manager
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
session_manager
Windows Script Host enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Disable Windows Script Host
Windows Script Host is a built-in Windows scripting environment that allows running of VBScript, JScript, and other scripting languages. Disabling it can help mitigate some types of malware attacks.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-ItemProperty -Path ''HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings'' -Name Enabled -ErrorAction SilentlyContinue).Enabled -eq 1) { ''Windows Script Host enabled'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SOFTWARE\Microsoft\''Windows Script Host''\Settings /v Enabled /t REG_DWORD /d 0 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SOFTWARE\Microsoft\''Windows Script Host''\Settings /v Enabled /t REG_DWORD /d 1 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remote Desktop Protocol (RDP) enabled
Threat
Dimension : network / Severity : 4
Tags : CIS Benchmark Level 1,Ensure Remote Desktop Protocol is Configured
RDP allows users to remotely access and control a Windows computer from another location. While this can be convenient, it also presents a significant security risk if left enabled and unprotected. An attacker could potentially gain access to your computer and compromise your sensitive data or even take control of your system.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-ItemProperty -Path ''HKLM:\System\CurrentControlSet\Control\Terminal Server'' -Name fDenyTSConnections -ErrorAction SilentlyContinue).fDenyTSConnections -eq 0) { ''Terminal Services connections allowed'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\System\CurrentControlSet\Control\Terminal Server'' -Name fDenyTSConnections -Value 1'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\System\CurrentControlSet\Control\Terminal Server'' -Name fDenyTSConnections -Value 0'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Windows Update disabled
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Configure Automatic Updates
Disabling Windows Update prevents critical security patches and updates from being installed on your system, leaving your system vulnerable to known exploits and threats. It is highly recommended that you enable Windows Update to ensure your system is up to date with the latest security patches.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$registryPath = ''HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU''', '$noAutoUpdate = (Get-ItemProperty -Path $registryPath -Name NoAutoUpdate -ErrorAction SilentlyContinue).NoAutoUpdate', '$useWUServer = (Get-ItemProperty -Path $registryPath -Name UseWUServer -ErrorAction SilentlyContinue).UseWUServer', 'Write-Output ($(if ($noAutoUpdate -eq 0 -or $useWUServer -eq 1) { '''' } else { $messages = @()', 'if ($noAutoUpdate -ne 0) {$messages += ''NoAutoUpdate is set.''}', 'if ($useWUServer -ne 1) {$messages += ''Updates are not managed through GPO.''}', '$messages -join '' '' }))'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 0 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Guest account enabled
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Ensure Guest account status is disabled
The Guest account is a default account in Windows, which allows users to access the system with limited privileges. It's recommended to disable this account to prevent unauthorized access to your system and data.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$guestAccount = Get-LocalUser | Where-Object {$_.SID -like ''*-501''}', 'if ($guestAccount.Enabled) {''Guest account is active''} else {''''}'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('$guestAccount = Get-LocalUser | Where-Object {$_.SID -like ''*-501''}', 'if ($guestAccount.Enabled) {Disable-LocalUser -Name $guestAccount.Name}'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('$guestAccount = Get-LocalUser | Where-Object {$_.SID -like ''*-501''}', 'if (-not $guestAccount.Enabled) {Enable-LocalUser -Name $guestAccount.Name}'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Built-in Administrator account enabled
Threat
Dimension : credentials / Severity : 5
Tags : CIS Benchmark Level 1,Built-in Administrator account status
The Built-in Administrator account is a powerful account that has full access to the system. Having this account enabled is a security risk as it is a common target for attackers. It should be disabled unless it is absolutely necessary to enable it.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$adminAccount = Get-LocalUser | Where-Object {$_.SID -like ''*-500''}', 'if ($adminAccount.Enabled) {''Built-in Administrator account enabled''} else {''''}'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('$adminAccount = Get-LocalUser | Where-Object {$_.SID -like ''*-500''}', 'if ($adminAccount.Enabled) {Disable-LocalUser -Name $adminAccount.Name}'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('$adminAccount = Get-LocalUser | Where-Object {$_.SID -like ''*-500''}', 'if (-not $adminAccount.Enabled) {Enable-LocalUser -Name $adminAccount.Name}'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Windows Firewall disabled
Threat
Dimension : network / Severity : 5
Tags : CIS Benchmark Level 1,Ensure Windows Firewall is Enabled
Windows Firewall is a built-in feature of Windows that helps to protect your computer from unauthorized access. When it's disabled, your computer is vulnerable to attacks from the network. We recommend that you enable it.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-NetFirewallProfile -All | Where-Object { $_.Enabled -eq ''False'' })) { ''One or more firewall profiles are disabled'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remote Registry Service enabled
Threat
Dimension : system services / Severity : 3
Tags : CIS Benchmark Level 1,Ensure Remote Registry Service is disabled
The Remote Registry Service allows remote access to the Windows Registry. This can be a security risk if not properly secured.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-Service -Name RemoteRegistry).Status -eq ''Running'') { ''RemoteRegistry service is running'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('(sc.exe config RemoteRegistry start= disabled) -and (sc.exe stop RemoteRegistry)'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('(sc.exe config RemoteRegistry start= auto) -and (sc.exe start RemoteRegistry)'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
LM and NTLMv1 protocols enabled
Threat
Dimension : credentials / Severity : 5
Tags : CIS Benchmark Level 1,Network security: LAN Manager authentication level
The LM and NTLMv1 protocols are outdated and insecure authentication protocols. They should be disabled to prevent potential security threats. Leaving these protocols enabled can allow attackers to potentially crack passwords and gain unauthorized access to sensitive information.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 0 | Command line | user |
Script
$__EDAMAME_LINES = @('if(((Get-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA'' -ErrorAction SilentlyContinue).LMCompatibilityLevel -lt 5) -or ((Get-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0'' -ErrorAction SilentlyContinue).NtlmMinClientSec -lt 537395200) -or ((Get-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0'' -ErrorAction SilentlyContinue).NtlmMinServerSec -lt 537395200)) { ''Weak NTLM settings'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 0 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA'' -Name ''LMCompatibilityLevel'' -Value ''5'' -Type DWord', 'Set-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0'' -Name ''NtlmMinClientSec'' -Value ''537395200'' -Type DWord', 'Set-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0'' -Name ''NtlmMinServerSec'' -Value ''537395200'' -Type DWord'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 0 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA'' -Name ''LmCompatibilityLevel'' -Value ''1'' -Type DWord', 'Set-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0'' -Name ''NtlmMinClientSec'' -Value ''262144'' -Type DWord', 'Set-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0'' -Name ''NtlmMinServerSec'' -Value ''537395200'' -Type DWord'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Lsass.exe process protection not enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure LSASS is configured to run as a Protected Process
Lsass.exe is a critical system process that handles user authentication. It contains sensitive information such as passwords and security tokens. If this process is compromised, it could lead to a security breach. Enabling Lsass.exe process protection helps prevent attacks against this process. This content will show you how to enable Lsass.exe process protection.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-ItemProperty -Path ''HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'' -Name ''RunAsPPL'' -ErrorAction SilentlyContinue).RunAsPPL -eq 0) { ''RunAsPPL is a REG_DWORD with value 0'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
PowerShell execution policy not securely configured
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure PowerShell Execution Policy is set to RemoteSigned
PowerShell is a powerful command-line tool that is built into Windows, and is often used by attackers to carry out malicious activities. The execution policy determines which scripts are allowed to run on a Windows system. If the execution policy is set to Unrestricted, it could allow an attacker to run malicious scripts on your system.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$currentUserPolicy= Get-ExecutionPolicy -Scope CurrentUser', 'if($currentUserPolicy -eq ''Unrestricted'') { ''Execution Policy is unrestricted'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | restart |
Script
$__EDAMAME_LINES = @('Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser -Force'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | restart |
Script
$__EDAMAME_LINES = @('Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Chrome browser not up to date
Threat
Dimension : applications / Severity : 3
Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$path = ''HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome''', 'if (Test-Path $path) { $local_version = (Get-ItemProperty -Path $path).DisplayVersion', '$web_content = Invoke-WebRequest -UseBasicParsing ''https://chromiumdash.appspot.com/fetch_releases?channel=Stable&platform=Windows&num=1''', '$latest_version = ($web_content.Content | ConvertFrom-Json)[0].version', 'if ([version]$latest_version -le [version]$local_version) { Write-Output '''' } else { Write-Output ''Chrome is not up to date (Installed: $local_version, Latest: $latest_version)''', '} } else { Write-Output '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
https://support.google.com/chrome/answer/95414?hl=en
Rollback
https://support.google.com/chrome/a/answer/6350036?hl=en
SMBv1 Protocol Enabled
Threat
Dimension : network / Severity : 5
Tags : CIS Benchmark Level 1,Ensure SMBv1 protocol is disabled
The SMBv1 protocol is enabled on your system. This protocol is outdated and has known vulnerabilities that can allow attackers to take over your system. It should be disabled to improve your system's security.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if((Get-SmbServerConfiguration).EnableSMB1Protocol -eq $true) { ''SMBv1 enabled'' } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | restart |
Script
$__EDAMAME_LINES = @('Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | restart |
Script
$__EDAMAME_LINES = @('Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
No sign-in options enabled
Threat
Dimension : credentials / Severity : 5
Your system currently does not have any sign-in options enabled. It is important to enable sign-in options like passwords, PIN, or Windows Hello to ensure your device is securely protected.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$lastLoggedOnProvider = (Get-ItemProperty -Path ''HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'' -Name ''LastLoggedOnProvider'' -ErrorAction SilentlyContinue).LastLoggedOnProvider', 'if ($null -eq $lastLoggedOnProvider) { ''Registry entry not present'' } elseif ($lastLoggedOnProvider -like ''*NgcPin*'') { $pinLength = (Get-ItemProperty -Path ''HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity'' -Name ''MinimumPINLength'' -ErrorAction SilentlyContinue).MinimumPINLength', 'if ($pinLength -lt 6) { ''Windows Hello PIN does not meet the minimum length requirement.'' } else { '''' } } else { '''' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
ms-settings:signinoptions
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
ms-settings:signinoptions
Windows Hello is not available
Threat
Dimension : credentials / Severity : 5
Windows Hello, a crucial security feature, is not available on your system. Enabling it provides advanced security mechanisms such as PIN and biometric authentication.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('if (Test-Path ''HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Ngc\Status'') { '''' } else { ''Windows Hello is not available.'' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
ms-settings:signinoptions
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
ms-settings:signinoptions
Screensaver lock is not properly configured
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Machine inactivity limit, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Logical Access
The screensaver lock settings are not properly configured. Ensuring a secure and active screensaver with a reasonable timeout enhances the physical security of your system.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
$__EDAMAME_LINES = @('$screensaverTimeout = (Get-ItemProperty -Path ''HKCU:\Control Panel\Desktop'' -Name ''ScreenSaveTimeOut'' -ErrorAction SilentlyContinue).ScreenSaveTimeOut', '$screensaverActive = (Get-ItemProperty -Path ''HKCU:\Control Panel\Desktop'' -Name ''ScreenSaveActive'' -ErrorAction SilentlyContinue).ScreenSaveActive', '$secureScreensaver = (Get-ItemProperty -Path ''HKCU:\Control Panel\Desktop'' -Name ''ScreenSaverIsSecure'' -ErrorAction SilentlyContinue).ScreenSaverIsSecure', 'if ($screensaverActive -eq ''1'' -and $secureScreensaver -eq ''1'' -and $screensaverTimeout -le 600) { '''' } else { ''Screensaver lock is not properly configured.'' }'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | system |
Script
$__EDAMAME_LINES = @('Set-ItemProperty -Path ''HKCU:\Control Panel\Desktop'' -Name ''ScreenSaveTimeOut'' -Value 600', 'Set-ItemProperty -Path ''HKCU:\Control Panel\Desktop'' -Name ''ScreenSaveActive'' -Value 1', 'Set-ItemProperty -Path ''HKCU:\Control Panel\Desktop'' -Name ''ScreenSaverIsSecure'' -Value 1'); $__EDAMAME_SCRIPT = $__EDAMAME_LINES -join "`n"; Invoke-Expression $__EDAMAME_SCRIPT
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line |
Script
ms-settings:lockscreen
Business rule not respected
Threat
Dimension : applications / Severity : 1
One or more business rules are not respected. Please check the command output for more details. To enable business rules, set the EDAMAME_BUSINESS_RULES_CMD environment variable. See: https://github.com/edamametechnologies/edamame_posture_cli?tab=readme-ov-file#business-rules
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Windows 10 | Command line | user |
Script
business_rules
Remediation
Refer to the business rules documentation for more details.
Rollback
Refer to the business rules documentation for more details.