Script Share

cis_win11_enterprise 18.5.6

Fix Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'.

This script fixes the windows CIS Benchmark check 18.5.6: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'."

cis_win11_enterprise 18.5.8

This script sets the registry key to disable IRDP (PerformRouterDiscovery) as per CIS benchmark and verifies the change.

This script fixes the windows CIS Benchmark check 18.5.8: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'."

The script modifies the registry to ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to Disabled (value 0). It includes error handling and automatic verification of the setting.

Notes

This script directly modifies the registry and does not use Group Policy.
If Group Policy is managing this setting, changes may be overwritten. Consider using Group Policy for persistent changes.
Compatible with PowerShell 5.1.

cis_win11_enterprise 18.5.12

Fix Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.

This script fixes the windows CIS Benchmark check 18.5.12: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."

cis_win11_enterprise 18.6.4.1

Fix Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher.

This script fixes the windows CIS Benchmark check 18.6.4.1: "Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher."

cis_win11_enterprise 18.6.8.1

Fix Ensure 'Enable insecure guest logons' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 18.6.8.1: "Ensure 'Enable insecure guest logons' is set to 'Disabled'."

cis_win11_enterprise 18.6.11.2

Fix Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.6.11.2: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'."

cis_win11_enterprise 18.6.11.3

Fix Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.6.11.3: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."

cis_win11_enterprise 18.6.11.4

Fix Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.6.11.4: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'."

cis_win11_enterprise 18.6.14.1

This script sets the registry values to enable Hardened UNC Paths for NETLOGON and SYSVOL shares as per CIS benchmarks and verifies the configuration.

This script fixes the windows CIS Benchmark check 18.6.14.1: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'."

The script ensures that the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths is configured with the required settings for \\NETLOGON and \\SYSVOL. It sets RequireMutualAuthentication, RequireIntegrity, and RequirePrivacy to 1 for both shares. After setting the values, it verifies the configuration and reports the status.

Notes

This script must be run with administrative privileges.
Compatible with PowerShell 5.1.
Follows the principle of least privilege by requiring admin rights only when necessary.

cis_win11_enterprise 18.6.19.2.1

Fix Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)').

This script fixes the windows CIS Benchmark check 18.6.19.2.1: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')."

XeroSec

Member

389scripts

4comments

Programming Languages

PowerShell10 (2.6%)

Operating Systems

Windows10 (100.0%)

Statistics

Script Score

Comment Score

Total Score

Avg. Score/Script

Latest Scripts

cis_win11_enterprise 18.5.6

Fix Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'.

This script fixes the windows CIS Benchmark check 18.5.6: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'."

cis_win11_enterprise 18.5.8

This script sets the registry key to disable IRDP (PerformRouterDiscovery) as per CIS benchmark and verifies the change.

This script fixes the windows CIS Benchmark check 18.5.8: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'."

Notes

This script directly modifies the registry and does not use Group Policy.
If Group Policy is managing this setting, changes may be overwritten. Consider using Group Policy for persistent changes.
Compatible with PowerShell 5.1.

cis_win11_enterprise 18.5.12

Fix Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.

This script fixes the windows CIS Benchmark check 18.5.12: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."

cis_win11_enterprise 18.6.4.1

Fix Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher.

This script fixes the windows CIS Benchmark check 18.6.4.1: "Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher."

cis_win11_enterprise 18.6.8.1

Fix Ensure 'Enable insecure guest logons' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 18.6.8.1: "Ensure 'Enable insecure guest logons' is set to 'Disabled'."

cis_win11_enterprise 18.6.11.2

Fix Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.6.11.2: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'."

cis_win11_enterprise 18.6.11.3

Fix Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.6.11.3: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."

cis_win11_enterprise 18.6.11.4

Fix Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.6.11.4: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'."

cis_win11_enterprise 18.6.14.1

This script sets the registry values to enable Hardened UNC Paths for NETLOGON and SYSVOL shares as per CIS benchmarks and verifies the configuration.

Notes

This script must be run with administrative privileges.
Compatible with PowerShell 5.1.
Follows the principle of least privilege by requiring admin rights only when necessary.

cis_win11_enterprise 18.6.19.2.1

Fix Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)').

This script fixes the windows CIS Benchmark check 18.6.19.2.1: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')."