Skip to content
Windows OS Hardening with PowerShell DSC
PowerShell
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore added Windows Server 2019 benchmark Mar 25, 2020
AuditPolicy_WindowsServer2016.ps1 removed comments Mar 2, 2020
AzSC_CCEv4_WindowsServer2016.ps1 Initial commit Dec 17, 2019
CIS_Windows10_v181.ps1 Edited README.md Mar 30, 2020
CIS_WindowsServer2016_v110.ps1 changed registry name Mar 30, 2020
CIS_WindowsServer2019_v110.ps1 changed registry name Mar 30, 2020
LICENSE Initial commit Dec 17, 2019
README.md edited README.md Apr 1, 2020

README.md

posh-dsc-windowsserver-hardening

This repository contains PowerShell DSC code for the secure configuration of Windows according to the following hardening guidelines:

  • CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark v1.8.1
  • CIS Microsoft Windows Server 2019 Release 1809 benchmark v1.1.0
  • CIS Microsoft Windows Server 2016 Release 1607 benchmark v1.1.0
  • Azure Secure Center Baseline for Windows Server 2016
  • Windows Event Log and Audit Policy Best Practices

Read more about it on our NVISO Blog

CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark v1.8.1

The file CIS_Windows10_v181.ps1 contains the Powershell DSC configuration applying the CIS Microsoft Windows 10 benchmark with the recommended controls.

The CIS benchmark is available on the following website:

CIS Benchmarks - Center for Internet Security

Please note the following exceptions:

  • For control 5.39 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled', modify to 2 for testing.

  • For control 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled', modify to 1 for testing.

CIS Microsoft Windows Server 2019 Release 1809 benchmark v1.1.0

The file CIS_WindowsServer2019_v110.ps1 contains the Powershell DSC configuration applying the CIS Microsoft Windows Server 2019 benchmark with the recommended controls.

The CIS benchmark is available on the following website:

CIS Benchmarks - Center for Internet Security

Please note the following exceptions:

  • Some controls in chapter 2.2 (Local Policies: User Rights Assignment) are in comment due to duplicates.

  • For control 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled', modify to 1 for testing.

  • For control 19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled', it is in comment because this is a duplicate of the control 18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'.

CIS Microsoft Windows Server 2016 Release 1607 benchmark v1.1.0

The file CIS_WindowsServer2016_v110.ps1 contains the Powershell DSC configuration applying the CIS Microsoft Windows Server 2016 benchmark with the recommended controls.

The CIS benchmark is available on the following website:

CIS Benchmarks - Center for Internet Security

Please note the following exceptions:

  • Some controls in chapter 2.2 (Local Policies: User Rights Assignment) are in comment due to duplicates.

  • For control 18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled', modify to 1 for testing.

  • For control 19.7.40.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled', it is in comment because this is a duplicate of the recommendation control 18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'.

Azure Security Center Baseline for Windows Server 2016

The file AzSC_CCEv4_WindowsServer2016.ps1 contains all controls in the Azure Security Center Baseline for Windows Server 2016.

Azure Security Center Baseline for Windows Server 2016 can be found here:

TechNet Azure Security Center Common Configuration

Windows Event Log and Audit Policy Best Practices

The file AuditPolicy_WindowsServer2016.ps1 contains the Powershell DSC code for applying Windows event logging and audit settings best practices.

These best practices are based on guidelines from Malware Archeology:

Malware Archeology

Usage

To apply the CIS benchmark PowerShell DSC code, follow these steps in an elevated PowerShell prompt:

Install the required PowerShell DSC modules:

install-module AuditPolicyDSC
install-module ComputerManagementDsc
install-module SecurityPolicyDsc

Compile the CIS benchmark PowerShell DSC code:

./CIS_WindowsServer2016_v110.ps1

A MOF file will be created.

Increase the maximum envelope size, by running the following command

Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 2048

Enable Windows Remote management:

winrm quickconfig

Run the following command to apply the PowerShell DSC configuration:

Start-DscConfiguration -Path .\CIS_WindowsServer2016_v110  -Force -Verbose -Wait

OS Platforms

The relevant baselines have been tested on the following operating systems:

  • Windows 10 Release 1909
  • Windows Server 2016 Release 1607
  • Windows Server 2019 Release 1809

Disclaimer

This code is provided as is. Please test thoroughly before applying it to production systems.

License

GPL-3.0

You can’t perform that action at this time.