Configuration Hardening Assessment PowerShell Script (CHAPS)
CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization’s Windows environment. Examples of environments where this script is useful to include Industrial Control System (ICS) environments where systems cannot be modified. These systems include Engineer / Operator workstations, Human Machine Interface (HMI) systems, and management servers that are deployed in production environments.
This script is NOT intended to be a replacement for Microsoft’s Policy Analyzer. The best way to audit a system’s configuration is to use the Microsoft Security Compliance Toolkit and Policy Analyzer with a Windows Workstation Security Baseline GPO. The Policy Analyzer’s output can be exported an MS Excel file, but it requires Microsoft Excel is installed on the system. Cut and pasting this information does work, but might not be an option on a physical system. Also, using the Policy Analyzer requires the installation of the Windows software, which may not be permitted.
This script runs in PowerShell and should be PowerShell-version independent. Some checks may fail depending on the Windows version, system configurations, and whether or not it is run with Administrator privileges. Instances where commands did not run successfully are noted and should be manually investigated where possible.
This script was developed using information from several sources (noted in the Useful Resources section) to identify recommended security configurations to reduce the likelihood of a compromised system and to log user events conducted on the system. It pulls heavily from the Securing Windows Workstations baseline outlined by Sean Metcalf.
System Configuration Checks
System Info Command
- Run the systeminfo command to get system information to run the Windows Exploit Suggester – Next Generation tool.
System Information
- Administrator rights
- This check determines if the user running the script has administrator rights. Some checks may not work without admin rights. Most of the checks will work unless some security controls or configurations prevent it.
- There is an error suppression line that has been disabled. Uncomment the line to suppress all errors. The “-ErrorAction SilentlyContinue” has also been used on some of the commands within the script.
- System information
- System Version
- User and Path Information
- System IPv4 addresses.
- System IPv6 addresses.
- Windows AutoUpdate configuration.
- Check for missing Critical and Important Updates
- Check for BitLocker Disk Encryption
- Check AlwaysInstallElevated Registry Keys
- PowerShell Event Log Settings
- Determine if PowerShell Commandline Auditing is Enabled.
- Determine if PowerShell Module Logging is Enabled.
- Determine if PowerShell Script Block and Invocation Logging is Enabled.
- Determine if PowerShell PowerShell Invocation Header Logging is Enabled.
- Determine if PowerShell Protected Event Logging is Enabled.
- Windows Event Log Configurations
- Check the maximum log file settings for critical logs:
- Application
- System
- Security
- Windows PowerShell
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
- Microsoft-Windows-TaskScheduler/Operational
- Microsoft-Windows-SMBServer/Audit
- Microsoft-Windows-Security-Netlogon/Operational
- Microsoft-Windows-WinRM/Operational
- Microsoft-Windows-WMI-Activity/Operational
- PowerShell Configuration Settings
- A version of default PowerShell
- Check if PowerShell version 2 is permitted.
- Determine installed versions of .NET to determine if they support PowerShell version 2.
- Determine if PowerShell Language Mode is “ConstratinedLanguage”.
- Cached Credentials
- Check how many Cached Credentials the system is configured to maintain.
- Remote Access Configurations
- Determine if RDP is configured to permit remote connections.
- Check the setting of AllowRemoteRPC.
- Check the setting of fDenyTSConnections.
- Determine if RDP is configured to permit remote connections.
- Understand WinRM configuration.
- Test if the WinRM Service is running using two different methods.
- Check the Windows Firewall configuration to see if the rules to permit WinRM are enabled.
- Local Administrator Accounts
- Determine if more than one user is a member of the Local Administrator group.
CHAPS PowerSploit Security Checks
The PowerSploit project (dev branch) can be used to gather additional information about the system. The chaps-powersploit.ps1 script has been developed to gather this information. Of course, most anti-malware programs will prevent, protect, and alert on the use of PowerSploit. Therefore, the anti-malware should be disabled or chaps-powersploit.ps1 script should not be used, NOTE: anti-malware programs should be re-enabled immediately upon verification that the script ran correctly.
chaps-powersploit.ps1 TODO:
Here is a list of things that aren’t working, need to be addressed, or are possible function requests.
- Needs to be tested in a Domain environment.
- Handle errors gracefully.
- Identify new cmdlets to run, such as Find-InterestingFiles with a list of specific files related to ICS project files.
Secure Baseline Checks – Securing Windows Workstations
- Check AppLocker
- Determine if AppLocker is configured to monitor scripts, at a minimum.
- Check EMET
- If a version is less than Windows 10, check that EMET service is running.
- Deploy LAPS
- Determine if LAPS is installed. NOTE: not checking if it is configured or used.
- Force Group Policy to reapply settings during “refresh”
- Determine how NoGPOListChanges is configured to see if GPOs are allied every time they are checked.
- Disable Net Session Enumeration
- NOTE: For now, extra actions are required to test this. See: TechNet script NetSessEnumPerm.ps1
- Disable WPAD
- Check for a WPAD entry in the Windows “etc\hosts” file.
- Check for the WpadOverride registry key.
- Determine if the WinHTTPAutoProxySvc is running.
- Check if the Windows Hotfix KB3165191 is installed.
- Check the WINS configuration.
- Determine network adapter configurations for:
- DNSEnabledForWINSResolution
- WINSEnableLMHostsLookup
- Disable LLMNR
- Determine if DNSClient.EnableMulticast is disabled.
- Disable Windows Browser Protocol
- Determine if the Computer Browser service is running.
- Disable NetBIOS
- Check the setting of TcpipNetbiosOptions to determine if it is disabled.
- Disable Windows Scripting
- Check if the Windows Scripting Host registry key is enabled.
- Check if Windows Hotfix KB2871997 is installed.
- NOTE: not sure how to check “Control Scripting File Extensions”
- Prevent Interactive Login
- Check the configuration of registry key LocalAccountTokenFilterPolicy to see if it is disabled.
- Disable WDigest
- Check the configuration of registry key WDigest.UseLogonCredential to determine if it is disabled.
- Disable SMBv1
- Use Get-SmbServerConfiguration to check:
- If SMBv1 is disabled.
- If SMBv1 auditing is enabled.
- Use Get-SmbServerConfiguration to check:
- Block Untrusted Fonts on Windows 10
- Check the registry key Kernel.MitigationOptions to determine if it is configured to block untrusted fonts.
- Enable Credential / Device Guard on Windows 10
- Check if the Credential Guard or HVCI service is running. NOTE: not checking configuration settings.
- Check if Device Guard is configured. NOTE: not checking configuration settings.
- Secure LanMan Authentication
- Check if the registry key Lsa.NoLmHash is enabled.
- Check if the registry key Lsa.LmCompatibilityLevel is configured to “Send NTLMv2 response only. Refuse LM & NTLM.”
- Check if Anonymous Enumeration of the domain is restricted.
- Check if Anonymous Enumeration of the local system is restricted.
- Secure Microsoft Office
- Not implemented at this time.
- Restrict RPC Clients
- Determine if remote RPC client access is restricted.
- Configure NTLM session security
- Check NTLM Session Server Security settings to determine if it requires NTLMv2 and 128-bit encryption.
- Check NTLM Session Client Security settings to determine if it requires NTLMv2 and 128-bit encryption.
Download
git clone https://github.com/cutaway-security/chaps.git
Use
Copyright (c) 2019, Cutaway Security, Inc. <don@cutawaysecurity.com>