Skip to content

Unify implementation of SYSVOL and NETLOGON Security implemenation #757

@TuemmlerKelch

Description

@TuemmlerKelch

There are 2 kinds of checks that should be true regardless of configured order an usage of ", " or ",".
As of now, we have three different implementations of this check.

Goal is to identify all benchmarks that need the check to be implemented with our most recent implementation:
We need to check checks that look at this destination:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths

Proper configuration (newer checks also check for RequirePrivacy=1)

[AuditTest] @{
Id = "Registry-073"
Task = "Set registry value '\\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1."
Test = {
try {
$regValue = Get-ItemProperty -ErrorAction Stop -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths"
-Name "\
\SYSVOL" `
| Select-Object -ExpandProperty "\*\SYSVOL"

        if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") {
            return @{
                Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1"
                Status = "False"
            }
        }
    }
    catch [System.Management.Automation.PSArgumentException] {
        return @{
            Message = "Registry value not found."
            Status = "False"
        }
    }
    catch [System.Management.Automation.ItemNotFoundException] {
        return @{
            Message = "Registry key not found."
            Status = "False"
        }
    }
    
    return @{
        Message = "Compliant"
        Status = "True"
    }
}

}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions