This script fixes the windows CIS Benchmark check 2.3.10.4: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."

The script checks the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for the property DisableDomainCreds. If it is not set to 1, the script sets it to 1 (Enabled). After modification, it verifies the setting and reports the result.

Notes

• This script directly modifies the registry. In managed environments, consider using Group Policy for persistent changes.
• The change may require a system restart to fully enforce, depending on the system state.
• Compatible with PowerShell 5.1.

This script fixes the windows CIS Benchmark check 2.3.9.5: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher."

The script ensures the registry key SMBServerNameHardeningLevel under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters is set to a value of 1 or higher, which corresponds to 'Accept if provided by client' or stricter. It then verifies that the value meets the CIS requirement (>=1).

Parameters

HardeningLevel The value to set for SMBServerNameHardeningLevel. Must be an integer greater than or equal to 1. Default is 1 (Accept if provided by client).

Example(s)

.\FixCisCheck.ps1Sets the hardening level to 1 and verifies..\FixCisCheck.ps1 -HardeningLevel 2Sets the hardening level to 2 (Required from client) and verifies.

This script fixes the windows CIS Benchmark check 2.3.8.1: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.9.20.1.1: "Ensure 'Turn off access to the Store' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 2.3.7.7: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'."

The script verifies the current value of the CachedLogonsCount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. If the value is greater than 4 or does not exist, it sets it to 4. After modification, it verifies the setting and reports the compliance status.

Parameters

Verbose Use this switch to enable verbose output for detailed logging.

Notes

• This script must be run with administrative privileges.
• It is designed to be idempotent, meaning it only makes changes if necessary and always verifies the result.

This script fixes the windows CIS Benchmark check 9.3.4: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'."

This script fixes the windows CIS Benchmark check 5.5: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 2.3.4.1: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 2.3.2.1: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'."

This function modifies the registry to ensure that the 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is enabled, as per CIS benchmarks. It also verifies the setting after modification.

Example(s)

Set-CisAuditPolicyOverride

Notes

This function requires administrative privileges and is intended for Windows Vista or later.