ScriptShare

This script fixes the windows CIS Benchmark check 18.9.25.2: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.9.25.3: "Ensure 'Enable password encryption' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.9.25.4: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'."

The script modifies the registry to enable password complexity with large letters, small letters, numbers, and special characters (value 4) under the LAPS policy path. It then verifies that the setting is correctly applied.

Notes

• This script assumes LAPS is installed, as the registry path is specific to LAPS.
• Direct registry modification may be overwritten by Group Policy settings. Use this script for testing or when GPO is not in use.
• Compatible with PowerShell 5.1.

This script fixes the windows CIS Benchmark check 18.9.25.5: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'."

This script fixes the windows CIS Benchmark check 18.9.25.6: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'."

This script fixes the windows CIS Benchmark check 18.9.25.7: "Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'."

This script checks and sets the registry value for the LAPS post-authentication grace period (hours) to a value between 1 and 8 inclusive. It ensures the CIS check "Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'" passes. The script creates the registry key if it does not exist and handles errors gracefully.

Parameters

GracePeriodHours Specifies the grace period in hours to set. Must be an integer between 1 and 8. Defaults to 8 if not specified.

Example(s)

.\SetCisLapsGracePeriod.ps1 -GracePeriodHours 4

Notes

This script modifies the registry directly and may be overwritten by Group Policy. It is recommended to configure this setting via Group Policy for persistent changes. LAPS must be installed for this setting to be fully functional, but the script will still set the registry value to pass the CIS check.

This script fixes the windows CIS Benchmark check 18.9.26.1: "Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'."

The script checks if it is running with administrative privileges, sets the registry key to disable custom SSPs and APs, and then verifies that the setting is correctly applied. This addresses the CIS recommendation by ensuring the registry value is set to 0 (Disabled).

Notes

• This script must be run as an Administrator.
• It is compatible with PowerShell 5.1 and later.
• Modifying registry settings can have security implications; use with caution and ensure proper backups.

This script fixes the windows CIS Benchmark check 18.9.27.1: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.9.28.1: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.9.28.2: "Ensure 'Do not display network selection UI' is set to 'Enabled'."

The script modifies the registry to set the DontDisplayNetworkSelectionUI value to 1 under the specified path. It then checks the value to confirm it is correctly set. This addresses the CIS check for ensuring the network selection UI is not displayed.