Permalink
Browse files

Updates

  • Loading branch information...
mwjcomputing committed Apr 24, 2014
2 parents f6ffb56 + d659574 commit 1bcfb303aefe4154fe86fbdf0ed514de9f8efa03
@@ -12,11 +12,20 @@ function Find-SecAccountNameChecker
}
}
#Search for names associated with processes
#Output that list
<#
Creates a list of accounts that could be linked to any special privileges or processes.
<#
.SYNOPSIS
Creates a list of accounts that could be linked to any special privileges or processes.
.DESCRIPTION
Searches for any account names associated with privileges or processes. Functionality must be added for an individual organization's needs.
.EXAMPLE
PS> Find-SecAccountNameChecker
"There are one or more accounts that can be associated with special privileges."
CN=MattAdmin
.LINK
www.poshsec.com
.NOTES
This function is a PoshSec module.
#>
}
@@ -0,0 +1,35 @@
function Get-SecAdminAccounts
{
$filename = Get-DateISO8601 -Prefix "Admin-Report" -Suffix ".xml"
Get-ADGroupMember -Identity administrators | Export-Clixml $filename
[System.Array]$current = Import-Clixml $filename
[System.Array]$approved = Import-Clixml ".\Baselines\Admin-Baseline.xml"
Move-Item $filename .\Reports
$exception = Get-DateISO8601 -Prefix "Admin-Exception" -Suffix ".xml"
Compare-Object $approved $current | Export-Clixml ".\Exception-Reports\$exception"
<#
.SYNOPSIS
Gets list of accounts that are members of various administrator groups, then compares it to the baseline list.
.DESCRIPTION
Gets list of all administrator accounts in the domain.
.EXAMPLE
PS> Get-SecAdminAccounts
CN=Matt Johnson,OU=IS,DC=PoshSec,DC=com
CN=Rich Cassara,OU=IS,DC=PoshSec,DC=com
..
.LINK
www.poshsec.com
.NOTES
This function is a PoshSec module.
#>
}
@@ -12,6 +12,22 @@ function Get-SecInactiveAccount
{
Disable-ADAccount -Identity $n -Confirm
}
<#
.SYNOPSIS
Gets current users that are inactive
.DESCRIPTION
This function checks for any accounts that have been active for 30 days.
For each account that has, will prompt the admin to confirm disabling
.EXAMPLE
PS> Get-SecInactiveAccounts
CN=Matt Johnson,OU=IS,DC=PoshSec,DC=com
CN=Rich Cassara,OU=IS,DC=PoshSec,DC=com
.LINK
www.poshsec.com
.NOTES
This function is a PoshSec module.
#>
<#
Designed to check for any accounts that have been inactive for 30 days.
@@ -0,0 +1,41 @@
function Get-SecPasswordsOverExpireDate
{
param (
[Parameter(Mandatory=$true)]
[int]$days
)
$list = @()
$root = [ADSI]""
$search = [adsisearcher]$root
$search.Filter = "(&(objectclass=user)(objectcategory=user))"
$search.SizeLimit = 3000
$search.FindAll() | foreach {
$pwdset = [datetime]::fromfiletime($_.properties.item("pwdLastSet")[0])
$age = (New-TimeSpan $pwdset).Days
if ($age -gt $days) {
$list = $list + ([adsi]$_.path).DistinguishedName
}
}
Write-Output $list
<#
.SYNOPSIS
Gets current that passwords are older than a certain date.
.DESCRIPTION
Gets current that passwords are older than a certain date that is specified.
.INPUTS
System.Int32
.PARAMETER days
This is the number of days a password should not exceed in age.
.EXAMPLE
PS> Get-SecPasswordsOverExpireDate -days 60
CN=Matt Johnson,OU=IS,DC=PoshSec,DC=com
CN=Rich Cassara,OU=IS,DC=PoshSec,DC=com
.LINK
www.poshsec.com
.NOTES
This function is a PoshSec module.
#>
}
@@ -1,4 +1,7 @@
function Show-SecDisabledAccountAccess {
function Show-SecDisabledAccountAccess
{
[CmdletBinding()]
param (
[Parameter(Position=1, Mandatory=$false)]
@@ -23,7 +26,7 @@
.INPUTS
System.String
.PARAMETER computerName
Name of computer to get the invalid access attempts from.
Name of computer from which to collect invalid access attempts.
.EXAMPLE
PS> Show-SecDisabledAccountAccess -computerName DC1
CN=Matt Johnson,OU=IS,DC=PoshSec,DC=com
@@ -34,4 +37,4 @@
This function is a PoshSec module.
#>
}
}
@@ -1,9 +1,6 @@
function Compare-SecDeviceInventory
{
<#
Synopsis
Compare device baseline list to the current list, then exports the results into an exception report
#>
[String]$filename = Get-DateISO8601 -Prefix ".\Device-Inventory" -Suffix ".xml"
@@ -18,5 +15,19 @@ function Compare-SecDeviceInventory
# The script can be emailed for review or processing in the ticketing system:
# Send-MailMessage -To -Subject "Installed software exception for $computer" -Body "The report is attached." -Attachments $filename
<#
.SYNOPSIS
Compare device baseline list to the current list, then exports the results into an exception report
.DESCRIPTION
Automated function that is called by Get-SecDeviceInventory to compare the newly-generated list to the baseline and provide an exception report
.LINK
www.poshsec.com
.LINK
github.com/poshsec
#>
}
@@ -0,0 +1,55 @@
function Start-SecBaseline
{
if(-NOT(Test-Path ".\Exception-Reports"))
{
New-Item .\Exception-Reports -type directory
}
if(-NOT(Test-Path ".\Baselines"))
{
New-Item .\Baselines -type directory
}
if(-NOT(Test-Path ".\Reports"))
{
New-Item .\Reports -type directory
}
Get-ADGroupMember -Identity administrators | Export-Clixml ".\Baselines\Admin-Baseline.xml"
Search-ADAccount -PasswordNeverExpires | Export-Clixml ".\Baselines\Never-Expires-Baseline.xml"
Search-ADAccount -AccountExpired | Export-Clixml ".\Baselines\Expired-Baseline.xml"
Search-ADAccount -AccountDisabled | Export-Clixml ".\Baselines\Disabled-Baseline.xml"
Search-ADAccount -LockedOut | Export-Clixml ".\Baselines\Locked-Baseline.xml"
Get-SecDNSLogStatus
Get-SecDeviceList
Get-SecSoftwareInstalled
Get-SecSoftwareIntegrity
Get-SecOpenPort
Set-SecFirewallSettings
Set-SecLogSettings
Get-SecFiles
<#
.SYNOPSIS
Centralized script to create the baseline files for comparison later. Must be run as an administrator, then disable administrator priveleges.
.DESCRIPTION
Steps of Implementation:
1. Check for proper directories (.\Exception-Reports)
2. Creates directories if they are missing
3. Run Scripts
4. Send current Exception-Reports to Admin
.EXAMPLE
PS C:\> Start-SecBaselines
.LINK
www.poshsec.com
.LINK
github.com/poshsec
#>
}
@@ -2,22 +2,32 @@
{
<#
To perform the necessary daily functions of PoshSec
Rather than establish baselines, this is to organize and continue reporting.
#>
Get-SecDeviceList
Get-SecSoftwareInstalled
Get-SecSoftwareIntegrity
Get-SecOpenPort
<<<<<<< HEAD:Baselines/Start-SecDailyFunction.ps1
Get-SecWAP
Get-SecExpiredAccount
Get-SecAdminAccount
Get-SecLockedOutAccount
Get-SecDisabledAccount
Get-SecFile
=======
Get-SecExpiredAccounts
Get-SecAdminAccounts
Get-SecLockedOutAccounts
Get-SecDisabledAccounts
Get-SecFiles
<#
.SYNOPSIS
To perform the necessary daily functions of PoshSec.Rather than establish baselines, this is to organize and continue reporting.
.DESCRIPTION
Centralized script to use for repitition
.LINK
www.poshsec.com
>>>>>>> d659574ba51394548ce0499d2bbc40bbc9c8043d:Baselines/Start-SecDailyFunctions.ps1
#>
}
@@ -1,6 +1,5 @@
function Get-SecDNSLogStatus {
Add-CommentHelp -Description GET-SecDNSLogStatus -Synopsis "Get-SecDNSLogStatus verifies that DNS log files exist that can then be used for inventory purposes."
function Get-SecDNSLogStatus
{
$rootpath = "systemroot\System32\Dns\"
@@ -18,4 +17,21 @@ foreach ($f in Get-ChildItem $rootpath)
}
}
}
}
<#
.SYNOPSIS
Verifies that DNS log files exist that can then be used for inventory purposes
.EXAMPLE
PS C:\> Get-SecDNSLogStatus
"DNS Logging Enabled"
.LINK
www.poshsec.com
.LINK
github.com/poshsec
#>
}
@@ -1,11 +1,7 @@
function Get-SecWAP
{
<#
Synopsis
To use each workstation as a sensor, by checking for available wireless networks and comparing it to the baseline of networks
This works with CSIS Control 7 Wireless Device Control
#>
$computer = Get-Content Env:\COMPUTERNAME
$filename = Get-DateISO8601 -Prefix ".\$computer-WAP" -Suffix ".xml"
@@ -35,6 +31,14 @@ function Get-SecWAP
# The script can be emailed for review or processing in the ticketing system:
# Send-MailMessage -To -Subject "Wireless access point exception for $computer" -Body "The report is attached." -Attachments $filename
}
<#
.SYNOPSIS
To use each workstation as a sensor, by checking for available wireless networks and comparing it to the baseline of networks
This works with CSIS Control 7 Wireless Device Control
.DESCRIPTION
Uses netsh to generate a list of wireless access points accessible to each workstation
.LINK
www.poshsec.com
#>
}
@@ -1,16 +1,25 @@
function Set-SecLogSettings
{
<#
Goal
To manage, configure and enable the eventlogs.
Increase storage size
Configure the overflow action (not to erase, but to create a new log
#>
Limit-EventLog -LogName Application -MaximumSize 1GB -OverflowAction DoNotOverwrite
Limit-EventLog -LogName Security -MaximumSize 1GB -OverflowAction DoNotOverwrite
Limit-EventLog -LogName System -MaximumSize 1GB -OverflowAction DoNotOverwrite
Limit-EventLog -LogName 'DNS Server' -MaximumSize 1GB -OverflowAction DoNotOverwrite
<#
.SYNOPSIS
Configures log settings. Sizing must be configured to individual needs, as initial values should not be considered a baseline
.DESCRIPTION
Configures log settings
.LINK
www.poshsec.com
.LINK
github.com/poshsec
#>
}
Oops, something went wrong.

0 comments on commit 1bcfb30

Please sign in to comment.